Persistence via Hidden Run Key Detected

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/15"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated)
 11registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Persistence via Hidden Run Key Detected"
 18references = [
 19    "https://github.com/outflanknl/SharpHide",
 20    "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf",
 21]
 22risk_score = 73
 23rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c"
 24setup = """## Setup
 25
 26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 29`event.ingested` to @timestamp.
 30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 31"""
 32severity = "high"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Persistence",
 38    "Tactic: Defense Evasion",
 39    "Tactic: Execution",
 40    "Data Source: Elastic Endgame",
 41    "Data Source: Elastic Defend",
 42    "Data Source: Sysmon",
 43]
 44timestamp_override = "event.ingested"
 45type = "eql"
 46
 47query = '''
 48/* Registry Path ends with backslash */
 49registry where host.os.type == "windows" and /* length(registry.data.strings) > 0 and */
 50 registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 51                  "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 52                  "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 53                  "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 54                  "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 55                  "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 56                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 57                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 58                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 59                  "\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
 60                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
 61                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\")
 62'''
 63
 64
 65[[rule.threat]]
 66framework = "MITRE ATT&CK"
 67[[rule.threat.technique]]
 68id = "T1547"
 69name = "Boot or Logon Autostart Execution"
 70reference = "https://attack.mitre.org/techniques/T1547/"
 71[[rule.threat.technique.subtechnique]]
 72id = "T1547.001"
 73name = "Registry Run Keys / Startup Folder"
 74reference = "https://attack.mitre.org/techniques/T1547/001/"
 75
 76
 77
 78[rule.threat.tactic]
 79id = "TA0003"
 80name = "Persistence"
 81reference = "https://attack.mitre.org/tactics/TA0003/"
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1106"
 86name = "Native API"
 87reference = "https://attack.mitre.org/techniques/T1106/"
 88
 89
 90[rule.threat.tactic]
 91id = "TA0002"
 92name = "Execution"
 93reference = "https://attack.mitre.org/tactics/TA0002/"
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1112"
 98name = "Modify Registry"
 99reference = "https://attack.mitre.org/techniques/T1112/"
100
101
102[rule.threat.tactic]
103id = "TA0005"
104name = "Defense Evasion"
105reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top