Uncommon Registry Persistence Change
Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could
13be an indication of an adversary's attempt to persist in a stealthy manner.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Uncommon Registry Persistence Change"
20references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"]
21risk_score = 47
22rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"]
25timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
26timeline_title = "Comprehensive Registry Timeline"
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31registry where host.os.type == "windows" and event.type in ("creation", "change") and
32 length(registry.data.strings) > 0 and
33 registry.path : (
34 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
35 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
36 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
37 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run",
38 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib",
39 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
40 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
41 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup",
42 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman",
43 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
44 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet",
45 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
46 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
47 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
48 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
49 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
50 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
51 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
52 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
53 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
54 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
55 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
56 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
57 "HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*\\ShellComponent",
58 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\MicrosoftActiveSync",
59 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
60 "HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
61 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
62 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
63 "HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
64 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
65 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
66 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
67 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
68 "HKEY_USERS\\*\\Control Panel\\Desktop\\scrnsave.exe",
69 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\VerifierDlls",
70 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
71 "HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
72 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms",
73 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram",
74 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
75 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
76 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
77 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand",
78 "HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
79 "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath",
80 "HKLM\\SYSTEM\\Setup\\CmdLine",
81 "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and
82
83 not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe",
84 "C:\\Program Files\\*.exe") and
85 not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and
86 not process.executable : ("C:\\Windows\\System32\\msiexec.exe",
87 "C:\\Windows\\SysWOW64\\msiexec.exe",
88 "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
89 "C:\\Program Files\\*.exe",
90 "C:\\Program Files (x86)\\*.exe")
91'''
92
93
94[[rule.threat]]
95framework = "MITRE ATT&CK"
96[[rule.threat.technique]]
97id = "T1547"
98name = "Boot or Logon Autostart Execution"
99reference = "https://attack.mitre.org/techniques/T1547/"
100[[rule.threat.technique.subtechnique]]
101id = "T1547.001"
102name = "Registry Run Keys / Startup Folder"
103reference = "https://attack.mitre.org/techniques/T1547/001/"
104
105[[rule.threat.technique]]
106id = "T1546"
107name = "Event Triggered Execution"
108reference = "https://attack.mitre.org/techniques/T1546/"
109[[rule.threat.technique.subtechnique]]
110id = "T1546.002"
111name = "Screensaver"
112reference = "https://attack.mitre.org/techniques/T1546/002/"
113
114[rule.threat.tactic]
115id = "TA0003"
116name = "Persistence"
117reference = "https://attack.mitre.org/tactics/TA0003/"
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1112"
122name = "Modify Registry"
123reference = "https://attack.mitre.org/techniques/T1112/"
124
125
126[rule.threat.tactic]
127id = "TA0005"
128name = "Defense Evasion"
129reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Adobe Hijack Persistence
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service
- Execution of Persistent Suspicious Program
- Image File Execution Options Injection