registry_event

Atbroker Registry Change

Dec 1, 2023 · attack.defense_evasion attack.t1218 attack.persistence attack.t1547 ·

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Office Application Startup - Office Test

Nov 8, 2023 · attack.persistence attack.t1137.002 ·

Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Nov 6, 2023 · attack.defense_evasion attack.t1562.001 ·

Share on:

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

FlowCloud Malware

Oct 18, 2023 · attack.persistence attack.t1112 ·

Share on:

Detects FlowCloud malware from threat group TA410.

Narrator's Feedback-Hub Persistence

Oct 18, 2023 · attack.persistence attack.t1547.001 ·

Share on:

Detects abusing Windows 10 Narrator's Feedback-Hub

New DLL Added to AppInit_DLLs Registry Key

Oct 18, 2023 · attack.persistence attack.t1546.010 ·

Share on:

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

Potential Qakbot Registry Activity

Oct 18, 2023 · attack.defense_evasion attack.t1112 ·

Share on:

Detects a registry key used by IceID in a campaign that distributes malicious OneNote files

Creation of a Local Hidden User Account by Registry

Oct 17, 2023 · attack.persistence attack.t1136.001 ·

Share on:

Sysmon registry detection of a local hidden user account.

HybridConnectionManager Service Installation - Registry

Oct 17, 2023 · attack.resource_development attack.t1608 ·

Share on:

Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Oct 17, 2023 · attack.credential_access attack.t1003.001 ·

Share on:

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

Registry Persistence Mechanisms in Recycle Bin

Oct 17, 2023 · attack.persistence attack.t1547 ·

Share on:

Detects persistence registry keys for Recycle Bin

Sticky Key Like Backdoor Usage - Registry

Oct 17, 2023 · attack.privilege_escalation attack.persistence attack.t1546.008 car.2014-11-003 car.2014-11-008 ·

Share on:

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Leviathan Registry Key Activity

Oct 4, 2023 · attack.persistence attack.t1547.001 ·

Share on:

Detects registry key used by Leviathan APT in Malaysian focused campaign

OceanLotus Registry Activity

Oct 4, 2023 · attack.defense_evasion attack.t1112 ·

Share on:

Detects registry keys created in OceanLotus (also known as APT32) attacks

Windows Registry Trust Record Modification

Jul 13, 2023 · attack.initial_access attack.t1566.001 ·

Share on:

Alerts on trust record modification within the registry, indicating usage of macros

UAC Bypass Via Wsreset

Jun 21, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002 ·

Share on:

Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.

PrinterNightmare Mimikatz Driver Name

Jun 15, 2023 · attack.execution attack.t1204 cve.2021.1675 cve.2021.34527 ·

Share on:

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

OilRig APT Registry Persistence

Mar 9, 2023 · attack.persistence attack.g0049 attack.t1053.005 attack.s0111 attack.t1543.003 attack.defense_evasion attack.t1112 attack.command_and_control attack.t1071.004 ·

Share on:

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

DLL Load via LSASS

Feb 1, 2023 · attack.execution attack.persistence attack.t1547.008 ·

Share on:

Detects a method to load DLL via LSASS process using an undocumented Registry key

NetNTLM Downgrade Attack - Registry

Feb 1, 2023 · attack.defense_evasion attack.t1562.001 attack.t1112 ·

Share on:

Detects NetNTLM downgrade attack

Pandemic Registry Key

Feb 1, 2023 · attack.lateral_movement attack.t1105 ·

Share on:

Detects Pandemic Windows Implant

Shell Open Registry Keys Manipulation

Feb 1, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002 attack.t1546.001 ·

Share on:

Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)

Suspicious Run Key from Download

Feb 1, 2023 · attack.persistence attack.t1547.001 ·

Share on:

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

Windows Credential Editor Registry

Feb 1, 2023 · attack.credential_access attack.t1003.001 attack.s0005 ·

Share on:

Detects the use of Windows Credential Editor (WCE)

Esentutl Volume Shadow Copy Service Keys

Dec 27, 2022 · attack.credential_access attack.t1003.002 ·

Share on:

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.

CMSTP Execution Registry Event

Oct 26, 2022 · attack.defense_evasion attack.execution attack.t1218.003 attack.g0069 car.2019-04-001 ·

Share on:

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Disable Security Events Logging Adding Reg Key MiniNt

Oct 26, 2022 · attack.defense_evasion attack.t1562.001 attack.t1112 ·

Share on:

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.

New DLL Added to AppCertDlls Registry Key

Oct 26, 2022 · attack.persistence attack.t1546.009 ·

Share on:

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

Path To Screensaver Binary Modified

Oct 26, 2022 · attack.persistence attack.privilege_escalation attack.t1546.002 ·

Share on:

Detects value modification of registry key containing path to binary used as screensaver.

RedMimicry Winnti Playbook Registry Manipulation

Oct 26, 2022 · attack.defense_evasion attack.t1112 ·

Share on:

Detects actions caused by the RedMimicry Winnti playbook

Registry Entries For Azorult Malware

Oct 26, 2022 · attack.execution attack.t1112 ·

Share on:

Detects the presence of a registry key created during Azorult execution

Run Once Task Configuration in Registry

Oct 26, 2022 · attack.defense_evasion attack.t1112 ·

Share on:

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

Security Support Provider (SSP) Added to LSA Configuration

Oct 26, 2022 · attack.persistence attack.t1547.005 ·

Share on:

Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

Wdigest CredGuard Registry Modification

Oct 26, 2022 · attack.defense_evasion attack.t1112 ·

Share on:

Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.

WINEKEY Registry Modification

Oct 26, 2022 · attack.persistence attack.t1547 ·

Share on:

Detects potential malicious modification of run keys by winekey or team9 backdoor

PortProxy Registry Key

Oct 9, 2022 · attack.lateral_movement attack.defense_evasion attack.command_and_control attack.t1090 ·

Share on:

Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.