Persistence via Hidden Run Key Detected

  1[metadata]
  2creation_date = "2020/11/15"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated)
 13registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Persistence via Hidden Run Key Detected"
 20references = [
 21    "https://github.com/outflanknl/SharpHide",
 22    "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf",
 23]
 24risk_score = 73
 25rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c"
 26setup = """## Setup
 27
 28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 31`event.ingested` to @timestamp.
 32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 33"""
 34severity = "high"
 35tags = [
 36    "Domain: Endpoint",
 37    "OS: Windows",
 38    "Use Case: Threat Detection",
 39    "Tactic: Persistence",
 40    "Tactic: Defense Evasion",
 41    "Tactic: Execution",
 42    "Data Source: Elastic Endgame",
 43    "Data Source: Elastic Defend",
 44    "Data Source: Sysmon",
 45    "Resources: Investigation Guide",
 46]
 47timestamp_override = "event.ingested"
 48type = "eql"
 49
 50query = '''
 51/* Registry Path ends with backslash */
 52registry where host.os.type == "windows" and event.type == "change" and length(registry.data.strings) > 0 and
 53 registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 54                  "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 55                  "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 56                  "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 57                  "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 58                  "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 59                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 60                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 61                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 62                  "\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 63                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 64                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\")
 65'''
 66note = """## Triage and analysis
 67
 68> **Disclaimer**:
 69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 70
 71### Investigating Persistence via Hidden Run Key Detected
 72
 73The Windows Registry is a critical system database that stores configuration settings. Adversaries exploit it for persistence by creating hidden registry keys using native APIs, making them invisible to standard tools like regedit. The detection rule identifies changes in specific registry paths associated with startup programs, flagging null-terminated keys that suggest stealthy persistence tactics.
 74
 75### Possible investigation steps
 76
 77- Review the specific registry path where the change was detected to determine if it matches any of the paths listed in the query, such as "HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\" or "HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\".
 78- Check the timestamp of the registry change event to correlate it with other system activities or user actions that occurred around the same time.
 79- Investigate the process that made the registry change by examining process creation logs or using tools like Sysmon to identify the responsible process and its parent process.
 80- Analyze the content of the registry key value that was modified or created to determine if it points to a legitimate application or a potentially malicious executable.
 81- Cross-reference the detected registry change with known threat intelligence sources to identify if the key or value is associated with known malware or adversary techniques.
 82- Assess the affected system for additional indicators of compromise, such as unusual network connections, file modifications, or other persistence mechanisms.
 83
 84### False positive analysis
 85
 86- Legitimate software installations or updates may create registry keys in the specified paths, leading to false positives. Users can monitor the installation process and temporarily disable the rule during known software updates to prevent unnecessary alerts.
 87- System administrators may intentionally configure startup programs for maintenance or monitoring purposes. Document these configurations and create exceptions in the detection rule to avoid flagging them as threats.
 88- Some security software may use similar techniques to ensure their components start with the system. Verify the legitimacy of such software and whitelist their registry changes to prevent false alarms.
 89- Custom scripts or automation tools used within an organization might modify registry keys for operational reasons. Identify these scripts and exclude their activities from the detection rule to reduce false positives.
 90- Regularly review and update the list of known safe applications and processes that interact with the registry paths in question, ensuring that the detection rule remains relevant and accurate.
 91
 92### Response and remediation
 93
 94- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 95- Use a trusted tool to manually inspect and remove the hidden registry keys identified in the alert from the specified registry paths to eliminate the persistence mechanism.
 96- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes associated with the threat.
 97- Review recent user activity and system logs to identify any unauthorized access or changes made by the adversary, and reset credentials for any compromised accounts.
 98- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 99- Implement enhanced monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and process execution.
100- Update and reinforce endpoint security configurations to prevent similar persistence techniques, such as enabling registry auditing and restricting access to critical registry paths."""
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1547"
107name = "Boot or Logon Autostart Execution"
108reference = "https://attack.mitre.org/techniques/T1547/"
109[[rule.threat.technique.subtechnique]]
110id = "T1547.001"
111name = "Registry Run Keys / Startup Folder"
112reference = "https://attack.mitre.org/techniques/T1547/001/"
113
114
115
116[rule.threat.tactic]
117id = "TA0003"
118name = "Persistence"
119reference = "https://attack.mitre.org/tactics/TA0003/"
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1106"
124name = "Native API"
125reference = "https://attack.mitre.org/techniques/T1106/"
126
127
128[rule.threat.tactic]
129id = "TA0002"
130name = "Execution"
131reference = "https://attack.mitre.org/tactics/TA0002/"
132[[rule.threat]]
133framework = "MITRE ATT&CK"
134[[rule.threat.technique]]
135id = "T1112"
136name = "Modify Registry"
137reference = "https://attack.mitre.org/techniques/T1112/"
138
139
140[rule.threat.tactic]
141id = "TA0005"
142name = "Defense Evasion"
143reference = "https://attack.mitre.org/tactics/TA0005/"