Uncommon Registry Persistence Change
Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could
11be an indication of an adversary's attempt to persist in a stealthy manner.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Uncommon Registry Persistence Change"
18references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"]
19risk_score = 47
20rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80"
21severity = "medium"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Persistence",
27 "Data Source: Elastic Defend",
28 "Data Source: Sysmon",
29]
30timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
31timeline_title = "Comprehensive Registry Timeline"
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36registry where host.os.type == "windows" and event.type in ("creation", "change") and
37 length(registry.data.strings) > 0 and
38 registry.path : (
39 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
40 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
41 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
42 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run",
43 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib",
44 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
45 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
46 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup",
47 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman",
48 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
49 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet",
50 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
51 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
52 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
53 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
54 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
55 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
56 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
57 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
58 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
59 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
60 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
61 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
62 "HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*\\ShellComponent",
63 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\MicrosoftActiveSync",
64 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
65 "HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
66 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
67 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
68 "HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
69 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
70 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
71 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
72 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
73 "HKEY_USERS\\*\\Control Panel\\Desktop\\scrnsave.exe",
74 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\VerifierDlls",
75 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
76 "HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
77 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms",
78 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram",
79 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
80 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
81 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
82 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand",
83 "HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
84 "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath",
85 "HKLM\\SYSTEM\\Setup\\CmdLine",
86 "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and
87
88 not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe",
89 "C:\\Program Files\\*.exe") and
90 not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and
91 not process.executable : ("C:\\Windows\\System32\\msiexec.exe",
92 "C:\\Windows\\SysWOW64\\msiexec.exe",
93 "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
94 "C:\\Program Files\\*.exe",
95 "C:\\Program Files (x86)\\*.exe")
96'''
97
98
99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1546"
103name = "Event Triggered Execution"
104reference = "https://attack.mitre.org/techniques/T1546/"
105[[rule.threat.technique.subtechnique]]
106id = "T1546.002"
107name = "Screensaver"
108reference = "https://attack.mitre.org/techniques/T1546/002/"
109
110
111[[rule.threat.technique]]
112id = "T1547"
113name = "Boot or Logon Autostart Execution"
114reference = "https://attack.mitre.org/techniques/T1547/"
115[[rule.threat.technique.subtechnique]]
116id = "T1547.001"
117name = "Registry Run Keys / Startup Folder"
118reference = "https://attack.mitre.org/techniques/T1547/001/"
119
120
121
122[rule.threat.tactic]
123id = "TA0003"
124name = "Persistence"
125reference = "https://attack.mitre.org/tactics/TA0003/"
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1112"
130name = "Modify Registry"
131reference = "https://attack.mitre.org/techniques/T1112/"
132
133
134[rule.threat.tactic]
135id = "TA0005"
136name = "Defense Evasion"
137reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Creation of a Hidden Local User Account
- Execution of Persistent Suspicious Program
- Image File Execution Options Injection
- Installation of Custom Shim Databases
- Installation of Security Support Provider