#####aid_begin
#description: fetch the information from active setup registry key
#id: aid2201032000
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  get-bgregistry
#notes: |- 
#  adversaries may achieve persistence by adding a registry key to the active setup of the local machine, used to execute programs when a user logs in. adversaries can abuse this component by creating and setting a malicious value for "stubpath" key under "installed components" to execute malware, to maintain persistence through system reboots.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" -MatchValueName -Pattern 'StubPath'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" -MatchValueName -Pattern 'StubPath'
- Get-BGRegistry -StartKey "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" -MatchValueName -Pattern 'StubPath'
- Get-BGRegistry -StartKey "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" -MatchValueName -Pattern 'StubPath'