Persistence via Hidden Run Key Detected
Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/15"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated)
13registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Persistence via Hidden Run Key Detected"
20references = [
21 "https://github.com/outflanknl/SharpHide",
22 "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf",
23]
24risk_score = 73
25rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c"
26setup = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "high"
35tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40/* Registry Path ends with backslash */
41registry where host.os.type == "windows" and /* length(registry.data.strings) > 0 and */
42 registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
43 "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
44 "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
45 "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
46 "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
47 "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
48 "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
49 "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
50 "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
51 "\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
52 "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
53 "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\")
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1547"
61name = "Boot or Logon Autostart Execution"
62reference = "https://attack.mitre.org/techniques/T1547/"
63[[rule.threat.technique.subtechnique]]
64id = "T1547.001"
65name = "Registry Run Keys / Startup Folder"
66reference = "https://attack.mitre.org/techniques/T1547/001/"
67
68
69
70[rule.threat.tactic]
71id = "TA0003"
72name = "Persistence"
73reference = "https://attack.mitre.org/tactics/TA0003/"
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77
78[[rule.threat.technique]]
79id = "T1106"
80name = "Native API"
81reference = "https://attack.mitre.org/techniques/T1106/"
82
83
84[rule.threat.tactic]
85id = "TA0002"
86name = "Execution"
87reference = "https://attack.mitre.org/tactics/TA0002/"
88
89
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1112"
94name = "Modify Registry"
95reference = "https://attack.mitre.org/techniques/T1112/"
96
97[rule.threat.tactic]
98id = "TA0005"
99name = "Defense Evasion"
100reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Image File Execution Options Injection
- Installation of Security Support Provider
- Microsoft Build Engine Using an Alternate Name