title: SilentProcessExit Monitor Registrytion
id: c81fe886-cac0-4913-a511-2822d72ff505
description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
status: experimental
author: Florian Roth
references:
    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
date: 2021/02/26
modified: 2022/03/26
logsource:
    category: registry_set
    product: windows
detection:
    selection:   
        EventType: SetValue 
        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
        Details|contains: 'MonitorProcess'
    condition: selection
falsepositives:
    - Unknown
level: high
tags:
    - attack.persistence
    - attack.t1546.012