[Bug] Suspicious String Value Written to Registry Run Key

[tyler-mcadam]

Describe the bug
The description references Run and RunOnce, but the query only includes Run.

To Reproduce
Steps to reproduce the behavior:

1. Read rule description -- "Identifies when suspicious values are written to Run and RunOnce registry keys via signed binaries..."
2. Verify RunOnce is not included in query

registry.path : ( "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*")

Expected behavior
Description closely matching what the rule will trigger on.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Windows
• Version: Any/all

Additional context

[Samirbous]

@tyler-mcadam thank you for reporting this. The rule initially had RunOnce in it (see below screenshot) but due to some recurrent false positives caused by RunOnce we had to remove it from the query, we will update the rule description to reflect that change :

We do have this broad detection rule compatible with Elastic Defend https://github.com/elastic/detection-rules/blob/bd62867465d6144783ce23d571083a7e982b6251/rules/windows/persistence_run_key_and_startup_broad.toml#L125 that capture RunOnce.

Also the following endpoint rules captures RunOnce :

https://github.com/search?q=repo%3Aelastic%2Fprotections-artifacts+%22%5C%5CRunOnce%5C%5C%22&type=code

[tyler-mcadam]

Wow that was fast. I figured that was the case but I couldn't find where runonce was removed. Thanks!