Analytics Story: Windows Registry Abuse

Date: 2022-03-17 ID: 78df1df1-25f1-4387-90f9-c4ea31ce6b75 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.

Why it matters

Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.

Correlation Search

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*registry*") All_Risk.annotations.mitre_attack.mitre_technique_id IN ("*T1112*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 3 | `windows_modify_registry_risk_behavior_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Allow Inbound Traffic By Firewall Rule Registry	Remote Desktop Protocol, Remote Services	TTP
Allow Operation with Consent Admin	Abuse Elevation Control Mechanism	TTP
Attempted Credential Dump From Registry via Reg exe	Security Account Manager, OS Credential Dumping	TTP
Auto Admin Logon Registry Entry	Credentials in Registry, Unsecured Credentials	TTP
Change Default File Association	Change Default File Association, Event Triggered Execution	TTP
Disable AMSI Through Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender AntiVirus Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender BlockAtFirstSeen Feature	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Enhanced Notification	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender MpEngine Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Spynet Reporting	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Submit Samples Consent Feature	Disable or Modify Tools, Impair Defenses	TTP
Disable ETW Through Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Registry Tool	Disable or Modify Tools, Impair Defenses, Modify Registry	TTP
Disable Security Logs Using MiniNt Registry	Modify Registry	TTP
Disable Show Hidden Files	Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry	Anomaly
Disable UAC Remote Restriction	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Disable Windows App Hotkeys	Disable or Modify Tools, Impair Defenses, Modify Registry	TTP
Disable Windows Behavior Monitoring	Disable or Modify Tools, Impair Defenses	TTP
Disable Windows SmartScreen Protection	Disable or Modify Tools, Impair Defenses	TTP
Disabling CMD Application	Disable or Modify Tools, Impair Defenses, Modify Registry	TTP
Disabling ControlPanel	Disable or Modify Tools, Impair Defenses, Modify Registry	TTP
Disabling Defender Services	Disable or Modify Tools, Impair Defenses	TTP
Disabling FolderOptions Windows Feature	Disable or Modify Tools, Impair Defenses	TTP
Disabling NoRun Windows App	Disable or Modify Tools, Impair Defenses, Modify Registry	TTP
Disabling Remote User Account Control	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Disabling SystemRestore In Registry	Inhibit System Recovery	TTP
Disabling Task Manager	Disable or Modify Tools, Impair Defenses	TTP
Disabling Windows Local Security Authority Defences via Registry	Modify Authentication Process	TTP
Enable RDP In Other Port Number	Remote Services	TTP
Enable WDigest UseLogonCredential Registry	Modify Registry, OS Credential Dumping	TTP
ETW Registry Disabled	Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses	TTP
Eventvwr UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Hide User Account From Sign-In Screen	Disable or Modify Tools, Impair Defenses	TTP
Modification Of Wallpaper	Defacement	TTP
Monitor Registry Keys for Print Monitors	Port Monitors, Boot or Logon Autostart Execution	TTP
Registry Keys for Creating SHIM Databases	Application Shimming, Event Triggered Execution	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Registry Keys Used For Privilege Escalation	Image File Execution Options Injection, Event Triggered Execution	TTP
Remcos client registry install entry	Modify Registry	TTP
Revil Registry Entry	Modify Registry	TTP
Screensaver Event Trigger Execution	Event Triggered Execution, Screensaver	TTP
Sdclt UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
SilentCleanup UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Time Provider Persistence Registry	Time Providers, Boot or Logon Autostart Execution	TTP
Windows AD DSRM Account Changes	Account Manipulation	TTP
Windows Autostart Execution LSASS Driver Registry Modification	LSASS Driver	TTP
Windows Disable Lock Workstation Feature Through Registry	Modify Registry	Anomaly
Windows Disable LogOff Button Through Registry	Modify Registry	Anomaly
Windows Disable Memory Crash Dump	Data Destruction	TTP
Windows Disable Notification Center	Modify Registry	Anomaly
Windows Disable Shutdown Button Through Registry	Modify Registry	Anomaly
Windows Disable Windows Group Policy Features Through Registry	Modify Registry	Anomaly
Windows DisableAntiSpyware Registry	Disable or Modify Tools, Impair Defenses	TTP
Windows Hide Notification Features Through Registry	Modify Registry	Anomaly
Windows Impair Defense Change Win Defender Health Check Intervals	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Change Win Defender Quick Scan Interval	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Change Win Defender Throttle Rate	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Change Win Defender Tracing Level	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Configure App Install Control	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Define Win Defender Threat Action	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Delete Win Defender Context Menu	Disable or Modify Tools, Impair Defenses	Hunting
Windows Impair Defense Delete Win Defender Profile Registry	Disable or Modify Tools, Impair Defenses	Anomaly
Windows Impair Defense Disable Controlled Folder Access	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Defender Firewall And Network	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Defender Protocol Recognition	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable PUA Protection	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Realtime Signature Delivery	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Web Evaluation	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Win Defender App Guard	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Win Defender Compute File Hashes	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Win Defender Gen reports	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Win Defender Network Protection	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Win Defender Report Infection	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Win Defender Scan On Update	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Disable Win Defender Signature Retirement	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Overide Win Defender Phishing Filter	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Override SmartScreen Prompt	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defense Set Win Defender Smart Screen Level To Warn	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defenses Disable HVCI	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defenses Disable Win Defender Auto Logging	Disable or Modify Tools, Impair Defenses	Anomaly
Windows Modify Show Compress Color And Info Tip Registry	Modify Registry	TTP
Windows Registry Certificate Added	Install Root Certificate, Subvert Trust Controls	Anomaly
Windows Registry Delete Task SD	Scheduled Task, Impair Defenses	Anomaly
Windows Registry Modification for Safe Mode Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	TTP
WSReset UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 1