Windows Modify Registry Risk Behavior
Description
The following analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected. It leverages data from the Risk data model in Splunk, focusing on registry-related sources and MITRE technique annotations. This activity is significant because multiple registry modifications can indicate an attempt to persist, hide malicious configurations, or erase forensic evidence. If confirmed malicious, this behavior could allow attackers to maintain persistent access, execute malicious code, and evade detection, posing a severe threat to the integrity and security of the affected host.
- Type: Correlation
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Risk
- Last Updated: 2024-05-15
- Author: Teoderick Contreras, Splunk
- ID: 5eb479b1-a5ea-4e01-8365-780078613776
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*registry*") All_Risk.annotations.mitre_attack.mitre_technique_id IN ("*T1112*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 3
| `windows_modify_registry_risk_behavior_filter`
Macros
The SPL above uses the following Macros:
windows_modify_registry_risk_behavior_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- All_Risk.analyticstories
- All_Risk.risk_object_type
- All_Risk.risk_object
- All_Risk.annotations.mitre_attack.mitre_tactic
- source
How To Implement
Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.
Known False Positives
False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 49.0 | 70 | 70 | An increase of Windows Modify Registry behavior has been detected on $risk_object$ |
Reference
- https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html
- https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html
- https://www.splunk.com/en_us/blog/security/from-registry-with-love-malware-registry-abuses.html
- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2