Uncommon Registry Persistence Change

calendar Oct 21, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/18"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/10/17"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could
 13be an indication of an adversary's attempt to persist in a stealthy manner.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Uncommon Registry Persistence Change"
 20references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"]
 21risk_score = 47
 22rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80"
 23severity = "medium"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Persistence",
 29    "Data Source: Elastic Defend",
 30    "Data Source: Sysmon",
 31]
 32timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
 33timeline_title = "Comprehensive Registry Timeline"
 34timestamp_override = "event.ingested"
 35type = "eql"
 36
 37query = '''
 38registry where host.os.type == "windows" and event.type == "change" and
 39 length(registry.data.strings) > 0 and
 40 registry.path : (
 41      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
 42      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
 43      "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
 44      "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run",
 45      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib",
 46      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
 47      "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
 48      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup",
 49      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman",
 50      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
 51      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet",
 52      "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
 53      "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
 54      "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
 55      "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
 56      "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
 57      "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
 58      "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
 59      "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
 60      "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
 61      "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
 62      "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
 63      "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
 64      "HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*\\ShellComponent",
 65      "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\MicrosoftActiveSync",
 66      "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
 67      "HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
 68      "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
 69      "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
 70      "HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
 71      "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
 72      "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
 73      "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
 74      "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
 75      "HKEY_USERS\\*\\Control Panel\\Desktop\\scrnsave.exe",
 76      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\VerifierDlls",
 77      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
 78      "HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
 79      "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms",
 80      "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram",
 81      "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
 82      "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
 83      "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
 84      "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand",
 85      "HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
 86      "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath",
 87      "HKLM\\SYSTEM\\Setup\\CmdLine",
 88      "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and
 89
 90 not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe",
 91                              "C:\\Program Files\\*.exe") and
 92 not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and
 93 not process.executable : ("C:\\Windows\\System32\\msiexec.exe",
 94                           "C:\\Windows\\SysWOW64\\msiexec.exe",
 95                           "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
 96                           "C:\\Program Files\\*.exe",
 97                           "C:\\Program Files (x86)\\*.exe") and
 98 not (process.name : ("TiWorker.exe", "poqexec.exe") and registry.value : "SetupExecute" and
 99      registry.data.strings : (
100        "C:\\windows\\System32\\poqexec.exe /display_progress \\SystemRoot\\WinSxS\\pending.xml",
101        "C:\\Windows\\System32\\poqexec.exe /skip_critical_poq /display_progress \\SystemRoot\\WinSxS\\pending.xml"
102      )
103     ) and
104 not (process.name : "svchost.exe" and registry.value : "SCRNSAVE.EXE" and
105      registry.data.strings : (
106        "%windir%\\system32\\rundll32.exe user32.dll,LockWorkStation",
107        "scrnsave.scr",
108        "%windir%\\system32\\Ribbons.scr"
109      )
110     )
111'''
112
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1546"
118name = "Event Triggered Execution"
119reference = "https://attack.mitre.org/techniques/T1546/"
120[[rule.threat.technique.subtechnique]]
121id = "T1546.002"
122name = "Screensaver"
123reference = "https://attack.mitre.org/techniques/T1546/002/"
124
125
126[[rule.threat.technique]]
127id = "T1547"
128name = "Boot or Logon Autostart Execution"
129reference = "https://attack.mitre.org/techniques/T1547/"
130[[rule.threat.technique.subtechnique]]
131id = "T1547.001"
132name = "Registry Run Keys / Startup Folder"
133reference = "https://attack.mitre.org/techniques/T1547/001/"
134
135
136
137[rule.threat.tactic]
138id = "TA0003"
139name = "Persistence"
140reference = "https://attack.mitre.org/tactics/TA0003/"
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143[[rule.threat.technique]]
144id = "T1112"
145name = "Modify Registry"
146reference = "https://attack.mitre.org/techniques/T1112/"
147
148
149[rule.threat.tactic]
150id = "TA0005"
151name = "Defense Evasion"
152reference = "https://attack.mitre.org/tactics/TA0005/"

References

  • Autoruns | Microsoft Press Store

    <p>In this sample chapter from <em>Troubleshooting with the Windows Sysinternals Tools, 2nd Edition</em>, learn about the fundamentals of Autoruns and how you can manage system permissions.</p>


    Read More

Related rules

to-top