Persistence via Hidden Run Key Detected
Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/15"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated)
11registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Persistence via Hidden Run Key Detected"
18references = [
19 "https://github.com/outflanknl/SharpHide",
20 "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf",
21]
22risk_score = 73
23rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c"
24setup = """## Setup
25
26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
29`event.ingested` to @timestamp.
30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
31"""
32severity = "high"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Persistence",
38 "Tactic: Defense Evasion",
39 "Tactic: Execution",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: Sysmon",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48/* Registry Path ends with backslash */
49registry where host.os.type == "windows" and /* length(registry.data.strings) > 0 and */
50 registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
51 "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
52 "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
53 "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
54 "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
55 "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
56 "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
57 "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
58 "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
59 "\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
60 "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
61 "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\")
62'''
63
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1547"
69name = "Boot or Logon Autostart Execution"
70reference = "https://attack.mitre.org/techniques/T1547/"
71[[rule.threat.technique.subtechnique]]
72id = "T1547.001"
73name = "Registry Run Keys / Startup Folder"
74reference = "https://attack.mitre.org/techniques/T1547/001/"
75
76
77
78[rule.threat.tactic]
79id = "TA0003"
80name = "Persistence"
81reference = "https://attack.mitre.org/tactics/TA0003/"
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1106"
86name = "Native API"
87reference = "https://attack.mitre.org/techniques/T1106/"
88
89
90[rule.threat.tactic]
91id = "TA0002"
92name = "Execution"
93reference = "https://attack.mitre.org/tactics/TA0002/"
94[[rule.threat]]
95framework = "MITRE ATT&CK"
96[[rule.threat.technique]]
97id = "T1112"
98name = "Modify Registry"
99reference = "https://attack.mitre.org/techniques/T1112/"
100
101
102[rule.threat.tactic]
103id = "TA0005"
104name = "Defense Evasion"
105reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Image File Execution Options Injection
- Installation of Security Support Provider
- Microsoft Build Engine Using an Alternate Name