Uncommon Registry Persistence Change
Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/10/17"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could
13be an indication of an adversary's attempt to persist in a stealthy manner.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Uncommon Registry Persistence Change"
20references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"]
21risk_score = 47
22rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Persistence",
29 "Data Source: Elastic Defend",
30 "Data Source: Sysmon",
31]
32timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
33timeline_title = "Comprehensive Registry Timeline"
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38registry where host.os.type == "windows" and event.type == "change" and
39 length(registry.data.strings) > 0 and
40 registry.path : (
41 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
42 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
43 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
44 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run",
45 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib",
46 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
47 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
48 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup",
49 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman",
50 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
51 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet",
52 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
53 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
54 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
55 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
56 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
57 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
58 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
59 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
60 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
61 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
62 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
63 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
64 "HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*\\ShellComponent",
65 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\MicrosoftActiveSync",
66 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
67 "HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
68 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
69 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
70 "HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
71 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
72 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
73 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
74 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
75 "HKEY_USERS\\*\\Control Panel\\Desktop\\scrnsave.exe",
76 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\VerifierDlls",
77 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
78 "HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
79 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms",
80 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram",
81 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
82 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
83 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
84 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand",
85 "HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
86 "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath",
87 "HKLM\\SYSTEM\\Setup\\CmdLine",
88 "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and
89
90 not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe",
91 "C:\\Program Files\\*.exe") and
92 not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and
93 not process.executable : ("C:\\Windows\\System32\\msiexec.exe",
94 "C:\\Windows\\SysWOW64\\msiexec.exe",
95 "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
96 "C:\\Program Files\\*.exe",
97 "C:\\Program Files (x86)\\*.exe") and
98 not (process.name : ("TiWorker.exe", "poqexec.exe") and registry.value : "SetupExecute" and
99 registry.data.strings : (
100 "C:\\windows\\System32\\poqexec.exe /display_progress \\SystemRoot\\WinSxS\\pending.xml",
101 "C:\\Windows\\System32\\poqexec.exe /skip_critical_poq /display_progress \\SystemRoot\\WinSxS\\pending.xml"
102 )
103 ) and
104 not (process.name : "svchost.exe" and registry.value : "SCRNSAVE.EXE" and
105 registry.data.strings : (
106 "%windir%\\system32\\rundll32.exe user32.dll,LockWorkStation",
107 "scrnsave.scr",
108 "%windir%\\system32\\Ribbons.scr"
109 )
110 )
111'''
112
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1546"
118name = "Event Triggered Execution"
119reference = "https://attack.mitre.org/techniques/T1546/"
120[[rule.threat.technique.subtechnique]]
121id = "T1546.002"
122name = "Screensaver"
123reference = "https://attack.mitre.org/techniques/T1546/002/"
124
125
126[[rule.threat.technique]]
127id = "T1547"
128name = "Boot or Logon Autostart Execution"
129reference = "https://attack.mitre.org/techniques/T1547/"
130[[rule.threat.technique.subtechnique]]
131id = "T1547.001"
132name = "Registry Run Keys / Startup Folder"
133reference = "https://attack.mitre.org/techniques/T1547/001/"
134
135
136
137[rule.threat.tactic]
138id = "TA0003"
139name = "Persistence"
140reference = "https://attack.mitre.org/tactics/TA0003/"
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143[[rule.threat.technique]]
144id = "T1112"
145name = "Modify Registry"
146reference = "https://attack.mitre.org/techniques/T1112/"
147
148
149[rule.threat.tactic]
150id = "TA0005"
151name = "Defense Evasion"
152reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Network Logon Provider Registry Modification
- Persistence via Update Orchestrator Service Hijack
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Browser Extension Install