Persistence via Hidden Run Key Detected

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/15"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/10/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated)
 13registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Persistence via Hidden Run Key Detected"
 20references = [
 21    "https://github.com/outflanknl/SharpHide",
 22    "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf",
 23]
 24risk_score = 73
 25rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c"
 26setup = """## Setup
 27
 28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 31`event.ingested` to @timestamp.
 32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 33"""
 34severity = "high"
 35tags = [
 36    "Domain: Endpoint",
 37    "OS: Windows",
 38    "Use Case: Threat Detection",
 39    "Tactic: Persistence",
 40    "Tactic: Defense Evasion",
 41    "Tactic: Execution",
 42    "Data Source: Elastic Endgame",
 43    "Data Source: Elastic Defend",
 44    "Data Source: Sysmon",
 45]
 46timestamp_override = "event.ingested"
 47type = "eql"
 48
 49query = '''
 50/* Registry Path ends with backslash */
 51registry where host.os.type == "windows" and event.type == "change" and length(registry.data.strings) > 0 and
 52 registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 53                  "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 54                  "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 55                  "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 56                  "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 57                  "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 58                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 59                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 60                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 61                  "\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 62                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 63                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\")
 64'''
 65
 66
 67[[rule.threat]]
 68framework = "MITRE ATT&CK"
 69[[rule.threat.technique]]
 70id = "T1547"
 71name = "Boot or Logon Autostart Execution"
 72reference = "https://attack.mitre.org/techniques/T1547/"
 73[[rule.threat.technique.subtechnique]]
 74id = "T1547.001"
 75name = "Registry Run Keys / Startup Folder"
 76reference = "https://attack.mitre.org/techniques/T1547/001/"
 77
 78
 79
 80[rule.threat.tactic]
 81id = "TA0003"
 82name = "Persistence"
 83reference = "https://attack.mitre.org/tactics/TA0003/"
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1106"
 88name = "Native API"
 89reference = "https://attack.mitre.org/techniques/T1106/"
 90
 91
 92[rule.threat.tactic]
 93id = "TA0002"
 94name = "Execution"
 95reference = "https://attack.mitre.org/tactics/TA0002/"
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1112"
100name = "Modify Registry"
101reference = "https://attack.mitre.org/techniques/T1112/"
102
103
104[rule.threat.tactic]
105id = "TA0005"
106name = "Defense Evasion"
107reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top