Analytics Story: Suspicious Windows Registry Activities

Date: 2018-05-31 ID: 2b1800dd-92f9-47dd-a981-fdf1351e5d55 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.

Why it matters

Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification. The registry is a key component of the Windows operating system. It has a hierarchical database called "registry" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment. The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Reg exe used to hide files directories via registry keys Hidden Files and Directories TTP
Remote Registry Key modifications None TTP
Suspicious Changes to File Associations Change Default File Association TTP
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Monitor Registry Keys for Print Monitors Port Monitors, Boot or Logon Autostart Execution TTP
Registry Keys for Creating SHIM Databases Application Shimming, Event Triggered Execution TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP
Windows Mshta Execution In Registry Mshta TTP
Windows Outlook WebView Registry Modification Modify Registry Anomaly
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 1