Uncommon Registry Persistence Change
Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/03/20"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could
11be an indication of an adversary's attempt to persist in a stealthy manner.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Uncommon Registry Persistence Change"
18note = """## Triage and analysis
19
20> **Disclaimer**:
21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
22
23### Investigating Uncommon Registry Persistence Change
24
25Windows Registry is a critical system database storing configuration settings. Adversaries exploit registry keys for persistence, ensuring malicious code executes on startup or during specific events. The detection rule identifies unusual modifications to less commonly altered registry keys, which may indicate stealthy persistence attempts. It filters out benign changes by excluding known legitimate processes and paths, focusing on suspicious alterations.
26
27### Possible investigation steps
28
29- Review the specific registry path and value that triggered the alert to understand the context of the change and its potential impact on system behavior.
30- Identify the process responsible for the registry modification by examining the process.name and process.executable fields, and determine if it is a known legitimate process or potentially malicious.
31- Check the registry.data.strings field to see the new data or command being set in the registry key, and assess whether it aligns with known legitimate software or suspicious activity.
32- Investigate the user account associated with the registry change by reviewing the HKEY_USERS path, if applicable, to determine if the change was made by an authorized user or an unexpected account.
33- Correlate the alert with other recent events on the host, such as file modifications or network connections, to identify any additional indicators of compromise or related suspicious activity.
34- Consult threat intelligence sources or databases to see if the registry path or process involved is associated with known malware or adversary techniques.
35
36### False positive analysis
37
38- Legitimate software installations or updates may modify registry keys for setup or configuration purposes. Users can create exceptions for known software paths like C:\\Program Files\\*.exe to reduce noise.
39- System maintenance processes such as Windows Update might trigger changes in registry keys like SetupExecute. Exclude processes like TiWorker.exe and poqexec.exe when they match known update patterns.
40- Administrative scripts or tools that automate system configurations can alter registry keys. Identify and exclude these scripts by their executable paths or process names to prevent false alerts.
41- Security software, including antivirus or endpoint protection, may interact with registry keys for monitoring purposes. Exclude paths related to these tools, such as C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe, to avoid false positives.
42- User-initiated changes through control panel settings or personalization options can affect registry keys like SCRNSAVE.EXE. Exclude common system paths like %windir%\\system32\\rundll32.exe user32.dll,LockWorkStation to minimize false detections.
43
44### Response and remediation
45
46- Isolate the affected system from the network to prevent further spread of potential malicious activity.
47- Terminate any suspicious processes identified in the alert, particularly those not matching known legitimate executables or paths.
48- Restore any altered registry keys to their original state using a known good backup or by manually resetting them to default values.
49- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes.
50- Review and update endpoint protection policies to ensure that similar registry changes are monitored and alerted on in the future.
51- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
52- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases."""
53references = [
54 "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2",
55 "https://github.com/rad9800/BootExecuteEDR",
56]
57risk_score = 47
58rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80"
59severity = "medium"
60tags = [
61 "Domain: Endpoint",
62 "OS: Windows",
63 "Use Case: Threat Detection",
64 "Tactic: Persistence",
65 "Data Source: Elastic Defend",
66 "Data Source: Sysmon",
67 "Resources: Investigation Guide",
68]
69timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
70timeline_title = "Comprehensive Registry Timeline"
71timestamp_override = "event.ingested"
72type = "eql"
73
74query = '''
75registry where host.os.type == "windows" and event.type == "change" and
76 length(registry.data.strings) > 0 and
77 registry.path : (
78 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
79 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
80 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
81 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run",
82 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib",
83 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
84 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
85 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup",
86 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman",
87 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
88 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet",
89 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
90 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
91 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
92 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
93 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
94 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
95 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
96 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
97 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
98 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
99 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
100 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
101 "HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*\\ShellComponent",
102 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\MicrosoftActiveSync",
103 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
104 "HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
105 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
106 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
107 "HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
108 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
109 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
110 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
111 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
112 "HKEY_USERS\\*\\Control Panel\\Desktop\\scrnsave.exe",
113 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\VerifierDlls",
114 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
115 "HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
116 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms",
117 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram",
118 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
119 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecuteNoPnpSync",
120 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
121 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecuteNoPnpSync",
122 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\PlatformExecute",
123 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
124 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand",
125 "HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
126 "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath",
127 "HKLM\\SYSTEM\\Setup\\CmdLine",
128 "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and
129
130 not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe",
131 "C:\\Program Files\\*.exe") and
132 not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and
133 not process.executable : ("C:\\Windows\\System32\\msiexec.exe",
134 "C:\\Windows\\SysWOW64\\msiexec.exe",
135 "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
136 "C:\\Program Files\\*.exe",
137 "C:\\Program Files (x86)\\*.exe") and
138 not (process.name : ("TiWorker.exe", "poqexec.exe") and registry.value : "SetupExecute" and
139 registry.data.strings : (
140 "C:\\windows\\System32\\poqexec.exe /display_progress \\SystemRoot\\WinSxS\\pending.xml",
141 "C:\\Windows\\System32\\poqexec.exe /skip_critical_poq /display_progress \\SystemRoot\\WinSxS\\pending.xml"
142 )
143 ) and
144 not (process.name : "svchost.exe" and registry.value : "SCRNSAVE.EXE" and
145 registry.data.strings : (
146 "%windir%\\system32\\rundll32.exe user32.dll,LockWorkStation",
147 "scrnsave.scr",
148 "%windir%\\system32\\Ribbons.scr"
149 )
150 )
151'''
152
153
154[[rule.threat]]
155framework = "MITRE ATT&CK"
156[[rule.threat.technique]]
157id = "T1546"
158name = "Event Triggered Execution"
159reference = "https://attack.mitre.org/techniques/T1546/"
160[[rule.threat.technique.subtechnique]]
161id = "T1546.002"
162name = "Screensaver"
163reference = "https://attack.mitre.org/techniques/T1546/002/"
164
165
166[[rule.threat.technique]]
167id = "T1547"
168name = "Boot or Logon Autostart Execution"
169reference = "https://attack.mitre.org/techniques/T1547/"
170[[rule.threat.technique.subtechnique]]
171id = "T1547.001"
172name = "Registry Run Keys / Startup Folder"
173reference = "https://attack.mitre.org/techniques/T1547/001/"
174
175
176
177[rule.threat.tactic]
178id = "TA0003"
179name = "Persistence"
180reference = "https://attack.mitre.org/tactics/TA0003/"
181[[rule.threat]]
182framework = "MITRE ATT&CK"
183[[rule.threat.technique]]
184id = "T1112"
185name = "Modify Registry"
186reference = "https://attack.mitre.org/techniques/T1112/"
187
188
189[rule.threat.tactic]
190id = "TA0005"
191name = "Defense Evasion"
192reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Uncommon Registry Persistence Change
Windows Registry is a critical system database storing configuration settings. Adversaries exploit registry keys for persistence, ensuring malicious code executes on startup or during specific events. The detection rule identifies unusual modifications to less commonly altered registry keys, which may indicate stealthy persistence attempts. It filters out benign changes by excluding known legitimate processes and paths, focusing on suspicious alterations.
Possible investigation steps
- Review the specific registry path and value that triggered the alert to understand the context of the change and its potential impact on system behavior.
- Identify the process responsible for the registry modification by examining the process.name and process.executable fields, and determine if it is a known legitimate process or potentially malicious.
- Check the registry.data.strings field to see the new data or command being set in the registry key, and assess whether it aligns with known legitimate software or suspicious activity.
- Investigate the user account associated with the registry change by reviewing the HKEY_USERS path, if applicable, to determine if the change was made by an authorized user or an unexpected account.
- Correlate the alert with other recent events on the host, such as file modifications or network connections, to identify any additional indicators of compromise or related suspicious activity.
- Consult threat intelligence sources or databases to see if the registry path or process involved is associated with known malware or adversary techniques.
False positive analysis
- Legitimate software installations or updates may modify registry keys for setup or configuration purposes. Users can create exceptions for known software paths like C:\Program Files*.exe to reduce noise.
- System maintenance processes such as Windows Update might trigger changes in registry keys like SetupExecute. Exclude processes like TiWorker.exe and poqexec.exe when they match known update patterns.
- Administrative scripts or tools that automate system configurations can alter registry keys. Identify and exclude these scripts by their executable paths or process names to prevent false alerts.
- Security software, including antivirus or endpoint protection, may interact with registry keys for monitoring purposes. Exclude paths related to these tools, such as C:\ProgramData\Microsoft\Windows Defender\Platform*\MsMpEng.exe, to avoid false positives.
- User-initiated changes through control panel settings or personalization options can affect registry keys like SCRNSAVE.EXE. Exclude common system paths like %windir%\system32\rundll32.exe user32.dll,LockWorkStation to minimize false detections.
Response and remediation
- Isolate the affected system from the network to prevent further spread of potential malicious activity.
- Terminate any suspicious processes identified in the alert, particularly those not matching known legitimate executables or paths.
- Restore any altered registry keys to their original state using a known good backup or by manually resetting them to default values.
- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes.
- Review and update endpoint protection policies to ensure that similar registry changes are monitored and alerted on in the future.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases.
References
-
<p>In this sample chapter from <em>Troubleshooting with the Windows Sysinternals Tools, 2nd Edition</em>, learn about the fundamentals of Autoruns and how you can manage system permissions.</p>
Read More -
Related rules
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Browser Extension Install
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service