Windows Modify Registry Risk Behavior
Description
This analytic is designed to identify instances where three or more distinct analytics associated with Mitre ID T1112 - Modification of registry information are triggered. Such occurrences could indicate the presence of multiple malicious registry modifications on a host. Malicious actors frequently manipulate the Windows Registry to hide important configuration details within specific Registry keys. This technique allows them to obscure their activities, erase any evidence during cleanup operations, and establish continuous access and execution of malicious code.
- Type: Correlation
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Risk
- Last Updated: 2023-06-15
- Author: Teoderick Contreras, Splunk
- ID: 5eb479b1-a5ea-4e01-8365-780078613776
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*registry*") All_Risk.annotations.mitre_attack.mitre_technique_id IN ("*T1112*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 3
| `windows_modify_registry_risk_behavior_filter`
Macros
The SPL above uses the following Macros:
windows_modify_registry_risk_behavior_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- All_Risk.analyticstories
- All_Risk.risk_object_type
- All_Risk.risk_object
- All_Risk.annotations.mitre_attack.mitre_tactic
- source
How To Implement
Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.
Known False Positives
False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 49.0 | 70 | 70 | An increase of Windows Modify Registry behavior has been detected on $risk_object$ |
Reference
- https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html
- https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html
- https://www.splunk.com/en_us/blog/security/from-registry-with-love-malware-registry-abuses.html
- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1