Try in Splunk Security Cloud

Description

Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Risk, Updates, Web
  • Last Updated: 2022-03-17
  • Author: Teoderick Contreras, Splunk
  • ID: 78df1df1-25f1-4387-90f9-c4ea31ce6b75

Narrative

Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.

Detections

Name Technique Type
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Auto Admin Logon Registry Entry Credentials in Registry, Unsecured Credentials TTP
Change Default File Association Change Default File Association, Event Triggered Execution TTP
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender AntiVirus Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools, Impair Defenses TTP
Disable Defender Enhanced Notification Disable or Modify Tools, Impair Defenses TTP
Disable Defender MpEngine Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools, Impair Defenses TTP
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Registry Tool Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disable Security Logs Using MiniNt Registry Modify Registry TTP
Disable Show Hidden Files Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry Anomaly
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disable Windows App Hotkeys Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Disable Windows SmartScreen Protection Disable or Modify Tools, Impair Defenses TTP
Disabling CMD Application Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling ControlPanel Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling Defender Services Disable or Modify Tools, Impair Defenses TTP
Disabling FolderOptions Windows Feature Disable or Modify Tools, Impair Defenses TTP
Disabling NoRun Windows App Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disabling SystemRestore In Registry Inhibit System Recovery TTP
Disabling Task Manager Disable or Modify Tools, Impair Defenses TTP
Disabling Windows Local Security Authority Defences via Registry Modify Authentication Process TTP
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses TTP
Enable RDP In Other Port Number Remote Services TTP
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Hide User Account From Sign-In Screen Disable or Modify Tools, Impair Defenses TTP
Modification Of Wallpaper Defacement TTP
Monitor Registry Keys for Print Monitors Port Monitors, Boot or Logon Autostart Execution TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP
Registry Keys for Creating SHIM Databases Application Shimming, Event Triggered Execution TTP
Remcos client registry install entry Modify Registry TTP
Revil Registry Entry Modify Registry TTP
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver TTP
Sdclt UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SilentCleanup UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution TTP
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Windows AD DSRM Account Changes Account Manipulation TTP
Windows Autostart Execution LSASS Driver Registry Modification LSASS Driver TTP
Windows Disable Lock Workstation Feature Through Registry Modify Registry Anomaly
Windows Disable LogOff Button Through Registry Modify Registry Anomaly
Windows Disable Memory Crash Dump Data Destruction TTP
Windows Disable Notification Center Modify Registry Anomaly
Windows Disable Shutdown Button Through Registry Modify Registry Anomaly
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Hide Notification Features Through Registry Modify Registry Anomaly
Windows Impair Defense Change Win Defender Health Check Intervals Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Change Win Defender Quick Scan Interval Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Change Win Defender Throttle Rate Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Change Win Defender Tracing Level Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Configure App Install Control Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Define Win Defender Threat Action Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Delete Win Defender Context Menu Disable or Modify Tools, Impair Defenses Hunting
Windows Impair Defense Delete Win Defender Profile Registry Disable or Modify Tools, Impair Defenses Anomaly
Windows Impair Defense Disable Controlled Folder Access Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Defender Firewall And Network Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Defender Protocol Recognition Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable PUA Protection Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Realtime Signature Delivery Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Web Evaluation Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender App Guard Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Compute File Hashes Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Gen reports Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Network Protection Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Report Infection Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Scan On Update Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Signature Retirement Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Overide Win Defender Phishing Filter Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Override SmartScreen Prompt Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defenses Disable HVCI Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defenses Disable Win Defender Auto Logging Disable or Modify Tools, Impair Defenses Anomaly
Windows Modify Registry Risk Behavior Modify Registry Correlation
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Windows Registry Certificate Added Install Root Certificate, Subvert Trust Controls Anomaly
Windows Registry Delete Task SD Scheduled Task, Impair Defenses Anomaly
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP

Reference

source | version: 1