Uncommon Registry Persistence Change
Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could
13be an indication of an adversary's attempt to persist in a stealthy manner.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Uncommon Registry Persistence Change"
20references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"]
21risk_score = 47
22rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
25timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
26timeline_title = "Comprehensive Registry Timeline"
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31registry where host.os.type == "windows" and
32 /* uncomment once stable length(registry.data.strings) > 0 and */
33 registry.path : (
34 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
35 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
36 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
37 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run",
38 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib",
39 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
40 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
41 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup",
42 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman",
43 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
44 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet",
45 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
46 "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
47 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
48 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
49 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
50 "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
51 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
52 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
53 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
54 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
55 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
56 "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
57 "HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*\\ShellComponent",
58 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\MicrosoftActiveSync",
59 "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
60 "HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
61 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
62 "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
63 "HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
64 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
65 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
66 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
67 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
68 "HKEY_USERS\\*\\Control Panel\\Desktop\\scrnsave.exe",
69 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\VerifierDlls",
70 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
71 "HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
72 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms",
73 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram",
74 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
75 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
76 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
77 "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand",
78 "HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
79 "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath",
80 "HKLM\\SYSTEM\\Setup\\CmdLine",
81 "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and
82
83 not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe",
84 "C:\\Program Files\\*.exe") and
85 not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and
86 not process.executable : ("C:\\Windows\\System32\\msiexec.exe",
87 "C:\\Windows\\SysWOW64\\msiexec.exe",
88 "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
89 "C:\\Program Files\\*.exe",
90 "C:\\Program Files (x86)\\*.exe")
91'''
92
93
94[[rule.threat]]
95framework = "MITRE ATT&CK"
96[[rule.threat.technique]]
97id = "T1547"
98name = "Boot or Logon Autostart Execution"
99reference = "https://attack.mitre.org/techniques/T1547/"
100[[rule.threat.technique.subtechnique]]
101id = "T1547.001"
102name = "Registry Run Keys / Startup Folder"
103reference = "https://attack.mitre.org/techniques/T1547/001/"
104
105[[rule.threat.technique]]
106id = "T1546"
107name = "Event Triggered Execution"
108reference = "https://attack.mitre.org/techniques/T1546/"
109[[rule.threat.technique.subtechnique]]
110id = "T1546.002"
111name = "Screensaver"
112reference = "https://attack.mitre.org/techniques/T1546/002/"
113
114[rule.threat.tactic]
115id = "TA0003"
116name = "Persistence"
117reference = "https://attack.mitre.org/tactics/TA0003/"
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1112"
122name = "Modify Registry"
123reference = "https://attack.mitre.org/techniques/T1112/"
124
125
126[rule.threat.tactic]
127id = "TA0005"
128name = "Defense Evasion"
129reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Persistent Scripts in the Startup Directory
- Persistence via Microsoft Office AddIns
- Adobe Hijack Persistence
- Component Object Model Hijacking
- Creation of a Hidden Local User Account