Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2018-05-31
- Author: Bhavin Patel, Splunk
- ID: 2b1800dd-92f9-47dd-a981-fdf1351e5d55
Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.
The registry is a key component of the Windows operating system. It has a hierarchical database called “registry” that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.
The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.
source | version: 1