Analytics Story: Windows Registry Abuse
Description
Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.
Why it matters
Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.
Correlation Search
Windows Modify Registry Risk Behavior
1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
2 WHERE source IN ("*registry*") All_Risk.annotations.mitre_attack.mitre_technique_id IN ("*T1112*")
3 BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
4| `drop_dm_object_name(All_Risk)`
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| where source_count >= 3
8| `windows_modify_registry_risk_behavior_filter`
Detections
| Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
| Windows Service Creation Using Registry Entry |
Services Registry Permissions Weakness |
Anomaly |
| Disable UAC Remote Restriction |
Bypass User Account Control |
TTP |
| Disable Windows SmartScreen Protection |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Disable Win Defender Gen reports |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Disable Win Defender Scan On Update |
Disable or Modify Tools |
TTP |
| Disable Windows App Hotkeys |
Modify Registry, Disable or Modify Tools |
TTP |
| Windows Disable Notification Center |
Modify Registry |
Anomaly |
| Disable ETW Through Registry |
Disable or Modify Tools |
TTP |
| Disable Registry Tool |
Modify Registry, Disable or Modify Tools |
TTP |
| Windows Disable Shutdown Button Through Registry |
Modify Registry |
Anomaly |
| Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
| Windows Impair Defenses Disable HVCI |
Disable or Modify Tools |
TTP |
| Eventvwr UAC Bypass |
Bypass User Account Control |
TTP |
| Sdclt UAC Bypass |
Bypass User Account Control |
TTP |
| Windows Impair Defense Disable Win Defender Network Protection |
Disable or Modify Tools |
TTP |
| Windows Impair Defenses Disable Auto Logger Session |
Disable or Modify Tools |
Anomaly |
| Windows Outlook LoadMacroProviderOnBoot Persistence |
Modify Registry, Office Application Startup |
TTP |
| Disabling Task Manager |
Disable or Modify Tools |
TTP |
| Windows Registry Dotnet ETW Disabled Via ENV Variable |
Disable or Modify Tools |
TTP |
| Disabling SystemRestore In Registry |
Inhibit System Recovery |
TTP |
| Windows Registry Certificate Added |
Install Root Certificate |
Anomaly |
| Remcos client registry install entry |
Modify Registry |
TTP |
| Windows Impair Defense Disable Win Defender App Guard |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Disable Web Evaluation |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Disable Controlled Folder Access |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Delete Win Defender Context Menu |
Disable or Modify Tools |
Hunting |
| Disabling Windows Local Security Authority Defences via Registry |
Modify Authentication Process |
TTP |
| Allow Inbound Traffic By Firewall Rule Registry |
Remote Desktop Protocol |
TTP |
| Windows Impair Defense Disable Win Defender Signature Retirement |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Delete Win Defender Profile Registry |
Disable or Modify Tools |
Anomaly |
| Windows Disable LogOff Button Through Registry |
Modify Registry |
Anomaly |
| Windows Sensitive Registry Hive Dump Via CommandLine |
Security Account Manager |
TTP |
| Disable Security Logs Using MiniNt Registry |
Modify Registry |
TTP |
| Hide User Account From Sign-In Screen |
Disable or Modify Tools |
TTP |
| WSReset UAC Bypass |
Bypass User Account Control |
TTP |
| Disable Defender Enhanced Notification |
Disable or Modify Tools |
TTP |
| Windows Autostart Execution LSASS Driver Registry Modification |
LSASS Driver |
TTP |
| Registry Keys for Creating SHIM Databases |
Application Shimming |
TTP |
| Windows Impair Defense Set Win Defender Smart Screen Level To Warn |
Disable or Modify Tools |
TTP |
| Windows Outlook Macro Security Modified |
Fallback Channels, Office Application Startup |
TTP |
| Windows Impair Defense Override SmartScreen Prompt |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Change Win Defender Throttle Rate |
Disable or Modify Tools |
TTP |
| Disable Defender Submit Samples Consent Feature |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Configure App Install Control |
Disable or Modify Tools |
TTP |
| Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
TTP |
| Screensaver Event Trigger Execution |
Screensaver |
TTP |
| Disabling NoRun Windows App |
Modify Registry, Disable or Modify Tools |
TTP |
| Windows Impair Defense Disable Defender Protocol Recognition |
Disable or Modify Tools |
TTP |
| Auto Admin Logon Registry Entry |
Credentials in Registry |
TTP |
| Windows Impair Defense Disable Realtime Signature Delivery |
Disable or Modify Tools |
TTP |
| Windows Disable Windows Group Policy Features Through Registry |
Modify Registry |
Anomaly |
| Windows Hide Notification Features Through Registry |
Modify Registry |
Anomaly |
| Disabling Remote User Account Control |
Bypass User Account Control |
TTP |
| Disable Defender AntiVirus Registry |
Disable or Modify Tools |
TTP |
| Windows Outlook Dialogs Disabled from Unusual Process |
Modify Registry, Disable or Modify Tools |
TTP |
| Windows AD DSRM Account Changes |
Account Manipulation |
TTP |
| Windows Impair Defenses Disable Win Defender Auto Logging |
Disable or Modify Tools |
Anomaly |
| Disabling FolderOptions Windows Feature |
Disable or Modify Tools |
TTP |
| Revil Registry Entry |
Modify Registry |
TTP |
| Windows DisableAntiSpyware Registry |
Disable or Modify Tools |
TTP |
| Monitor Registry Keys for Print Monitors |
Port Monitors |
TTP |
| Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection |
TTP |
| Windows Registry Delete Task SD |
Scheduled Task, Disable or Modify Tools |
Anomaly |
| Disabling CMD Application |
Modify Registry, Disable or Modify Tools |
TTP |
| Windows Registry Modification for Safe Mode Persistence |
Registry Run Keys / Startup Folder |
TTP |
| Windows Impair Defense Disable PUA Protection |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Define Win Defender Threat Action |
Disable or Modify Tools |
TTP |
| Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
| Disable AMSI Through Registry |
Disable or Modify Tools |
TTP |
| ETW Registry Disabled |
Trusted Developer Utilities Proxy Execution, Disable or Modify Tools |
TTP |
| Windows Impair Defense Disable Win Defender Compute File Hashes |
Disable or Modify Tools |
TTP |
| Disable Defender Spynet Reporting |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Disable Win Defender Report Infection |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Change Win Defender Health Check Intervals |
Disable or Modify Tools |
TTP |
| Windows Disable Lock Workstation Feature Through Registry |
Modify Registry |
Anomaly |
| Windows New Default File Association Value Set |
Change Default File Association |
Hunting |
| Modification Of Wallpaper |
Defacement |
TTP |
| Disable Show Hidden Files |
Modify Registry, Hidden Files and Directories, Disable or Modify Tools |
Anomaly |
| Windows Impair Defense Overide Win Defender Phishing Filter |
Disable or Modify Tools |
TTP |
| Disabling Defender Services |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Disable Defender Firewall And Network |
Disable or Modify Tools |
TTP |
| Disable Windows Behavior Monitoring |
Disable or Modify Tools |
TTP |
| Windows Impair Defense Change Win Defender Quick Scan Interval |
Disable or Modify Tools |
TTP |
| Enable WDigest UseLogonCredential Registry |
OS Credential Dumping, Modify Registry |
TTP |
| Allow Operation with Consent Admin |
Abuse Elevation Control Mechanism |
TTP |
| Windows Impair Defense Change Win Defender Tracing Level |
Disable or Modify Tools |
TTP |
| Enable RDP In Other Port Number |
Remote Services |
TTP |
| Disable Defender BlockAtFirstSeen Feature |
Disable or Modify Tools |
TTP |
| Disable Defender MpEngine Registry |
Disable or Modify Tools |
TTP |
| Disabling ControlPanel |
Modify Registry, Disable or Modify Tools |
TTP |
| Time Provider Persistence Registry |
Time Providers |
TTP |
| SilentCleanup UAC Bypass |
Bypass User Account Control |
TTP |
Data Sources
References
Source: GitHub | Version: 2
Windows