Detect Modify Registry with this “Free Splunk” Rule
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.
Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.
The Registry of a remote system may be modified to aid in the execution of files as part of lateral movement. It requires the Remote Registry service to be running on the target system. Often Valid Accounts are required, along with access to the remote system’s SMB/Windows Admin Shares for RPC communication.
ID: T1112
Tactic: Defense Evasion
Platform: Windows
Data Sources: Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Defense Bypassed: Host forensic analysis
Procedure Examples
S0045: ADVSTORESHELL: ADVSTORESHELL is capable of setting and deleting Registry values.
S0331: Agent Tesla: Agent Tesla can achieve persistence by modifying Registry key entries.
S0031: BACKSPACE: BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.
Mitigations
M1024: Restrict Registry Permissions: Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
Detection
Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). Changes to Registry entries that load software on Windows startup that does not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.
Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Resource of Install Root Certificate With this Free Splunk Detection Rule:
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode IN (12,13) Image=”\\reg.exe” TargetObject=”\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer*”)