| ID | Technique | Tactic |
|---|---|---|
| T1112 | Modify Registry | Defense Impairment |
Detection: Revil Registry Entry
Description
The following analytic identifies suspicious modifications in the registry entry, specifically targeting paths used by malware like REVIL. It detects changes in registry paths such as SOFTWARE\\WOW6432Node\\Facebook_Assistant and SOFTWARE\\WOW6432Node\\BlackLivesMatter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications linked to process GUIDs. This activity is significant as it indicates potential malware persistence mechanisms, often used by advanced persistent threats (APTs) and ransomware. If confirmed malicious, this could allow attackers to maintain persistence, encrypt files, and store critical ransomware-related information on compromised hosts.
Search
1
2| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\*" OR Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\BlackLivesMatter*") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
3| `drop_dm_object_name(Registry)`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `revil_registry_entry_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 13 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| Sysmon EventID 12 | Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| revil_registry_entry_filter | search * |
revil_registry_entry_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.CM
CIS 10
APT32
APT38
APT41
APT42
Aquatic Panda
BlackByte
Blue Mockingbird
Dragonfly
Earth Lusca
Ember Bear
FIN8
Gamaredon Group
Gorgon Group
Indrik Spider
Kimsuky
Lotus Blossom
LuminousMoth
Magic Hound
Medusa Group
OilRig
Patchwork
Saint Bear
Sandworm Team
Silence
TA505
Threat Group-3390
Turla
Volt Typhoon
Wizard Spider
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | Yes |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
No false positives have been identified at this time.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$ | user | user | 50 |
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$ | dest | system | 50 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 13