Detection: Windows Modify Registry Default Icon Setting

Updated Date: 2026-05-13 ID: a7a7afdb-3c58-45b6-9bff-63e5acfd9d40 Author: Teoderick Contreras, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects suspicious modifications to the Windows registry's default icon settings, a technique associated with Lockbit ransomware. It leverages data from the Endpoint Registry data model, focusing on changes to registry paths under "HKCR\\defaultIcon\(Default)*". This activity is significant as it is uncommon for normal users to modify these settings, and such changes can indicate ransomware infection or other malware. If confirmed malicious, this could lead to system defacement and signal a broader ransomware attack, potentially compromising sensitive data and system integrity.

Search

1
2| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\defaultIcon\\(Default)*" Registry.registry_path = "*HKCR\\*" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product 
3| `security_content_ctime(lastTime)` 
4| `security_content_ctime(firstTime)` 
5| `drop_dm_object_name(Registry)` 
6| `windows_modify_registry_default_icon_setting_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 13	Windows	`'XmlWinEventLog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
windows_modify_registry_default_icon_setting_filter	`search *`

windows_modify_registry_default_icon_setting_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1112	Modify Registry	Defense Impairment

Exploitation

Installation

DE.AE

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Finding (Notable)	No
Creates Intermediate Finding (Risk Event)	Yes

Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

LockBit Ransomware

Intermediate Findings

Message	Entity Field	Entity Type	Risk Score
A suspicious registry modification to change the default icon association of windows to ransomware was detected on endpoint $dest$ by user $user$.	dest	system	20
A suspicious registry modification to change the default icon association of windows to ransomware was detected on endpoint $dest$ by user $user$.	user	user	20

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 12