Persistence via Hidden Run Key Detected

 1[metadata]
 2creation_date = "2020/11/15"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated)
13registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Persistence via Hidden Run Key Detected"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24references = [
25    "https://github.com/outflanknl/SharpHide",
26    "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf",
27]
28risk_score = 73
29rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c"
30severity = "high"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36/* Registry Path ends with backslash */
37registry where host.os.type == "windows" and /* length(registry.data.strings) > 0 and */
38 registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
39                  "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
40                  "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
41                  "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
42                  "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
43                  "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
44                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
45                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
46                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
47                  "\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
48                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
49                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1547"
57name = "Boot or Logon Autostart Execution"
58reference = "https://attack.mitre.org/techniques/T1547/"
59[[rule.threat.technique.subtechnique]]
60id = "T1547.001"
61name = "Registry Run Keys / Startup Folder"
62reference = "https://attack.mitre.org/techniques/T1547/001/"
63
64
65
66[rule.threat.tactic]
67id = "TA0003"
68name = "Persistence"
69reference = "https://attack.mitre.org/tactics/TA0003/"