Persistence via WMI Standard Registry Provider

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2021/03/15"
  3integration = ["endpoint"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.3.0"
  7updated_date = "2023/06/22"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused
 13registry locations for persistence.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.*", "endgame-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Persistence via WMI Standard Registry Provider"
 20references = [
 21    "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov",
 22    "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1",
 23]
 24risk_score = 73
 25rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6"
 26severity = "high"
 27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 28timestamp_override = "event.ingested"
 29type = "eql"
 30
 31query = '''
 32registry where host.os.type == "windows" and
 33 registry.data.strings != null and process.name : "WmiPrvSe.exe" and
 34 registry.path : (
 35                  "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
 36                  "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
 37                  "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
 38                  "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
 39                  "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
 40                  "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
 41                  "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
 42                  "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
 43                  "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
 44                  "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL",
 45                  "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
 46                  "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*",
 47                  "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript",
 48                  "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
 49                  "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
 50                  "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
 51                  "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
 52                  "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
 53                  "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
 54                  "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
 55                  "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
 56                  "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
 57                  "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
 58                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
 59                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
 60                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
 61                  "\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
 62                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
 63                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
 64                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
 65                  "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
 66                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
 67                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
 68                  "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL",
 69                  "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
 70                  "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*",
 71                  "\\REGISTRY\\USER\\*\\Environment\\UserInitMprLogonScript",
 72                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
 73                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
 74                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
 75                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
 76                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
 77                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
 78                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
 79                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
 80                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
 81                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
 82                  "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun"
 83                  )
 84'''
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1543"
 91name = "Create or Modify System Process"
 92reference = "https://attack.mitre.org/techniques/T1543/"
 93[[rule.threat.technique.subtechnique]]
 94id = "T1543.003"
 95name = "Windows Service"
 96reference = "https://attack.mitre.org/techniques/T1543/003/"
 97
 98
 99[[rule.threat.technique]]
100id = "T1547"
101name = "Boot or Logon Autostart Execution"
102reference = "https://attack.mitre.org/techniques/T1547/"
103[[rule.threat.technique.subtechnique]]
104id = "T1547.001"
105name = "Registry Run Keys / Startup Folder"
106reference = "https://attack.mitre.org/techniques/T1547/001/"
107
108
109
110[rule.threat.tactic]
111id = "TA0003"
112name = "Persistence"
113reference = "https://attack.mitre.org/tactics/TA0003/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1047"
118name = "Windows Management Instrumentation"
119reference = "https://attack.mitre.org/techniques/T1047/"
120
121
122[rule.threat.tactic]
123id = "TA0002"
124name = "Execution"
125reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top