Try in Splunk Security Cloud

Description

Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2018-05-31
  • Author: Bhavin Patel, Splunk
  • ID: 2b1800dd-92f9-47dd-a981-fdf1351e5d55

Narrative

Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.
The registry is a key component of the Windows operating system. It has a hierarchical database called “registry” that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.
The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.

Detections

Name Technique Type
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Monitor Registry Keys for Print Monitors Port Monitors, Boot or Logon Autostart Execution TTP
Reg exe used to hide files directories via registry keys Hidden Files and Directories TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP
Registry Keys for Creating SHIM Databases Application Shimming, Event Triggered Execution TTP
Remote Registry Key modifications   TTP
Suspicious Changes to File Associations Change Default File Association TTP
Windows Mshta Execution In Registry Mshta TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP

Reference

source | version: 1