Try in Splunk Security Cloud
Description
Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-03-17
- Author: Teoderick Contreras, Splunk
- ID: 78df1df1-25f1-4387-90f9-c4ea31ce6b75
Narrative
Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.
Detections
| Name |
Technique |
Type |
| Allow Inbound Traffic By Firewall Rule Registry |
Remote Desktop Protocol, Remote Services |
TTP |
| Allow Operation with Consent Admin |
Abuse Elevation Control Mechanism |
TTP |
| Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
TTP |
| Auto Admin Logon Registry Entry |
Credentials in Registry, Unsecured Credentials |
TTP |
| Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
| Disable AMSI Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender AntiVirus Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender BlockAtFirstSeen Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender Enhanced Notification |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender MpEngine Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender Spynet Reporting |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender Submit Samples Consent Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable ETW Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Registry Tool |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Security Logs Using MiniNt Registry |
Modify Registry |
TTP |
| Disable Show Hidden Files |
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses |
TTP |
| Disable UAC Remote Restriction |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Disable Windows App Hotkeys |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Windows SmartScreen Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling CMD Application |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling ControlPanel |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling Defender Services |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling FolderOptions Windows Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling NoRun Windows App |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling Remote User Account Control |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Disabling SystemRestore In Registry |
Inhibit System Recovery |
TTP |
| Disabling Task Manager |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling Windows Local Security Authority Defences via Registry |
Modify Authentication Process |
TTP |
| ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
TTP |
| Enable RDP In Other Port Number |
Remote Services |
TTP |
| Enable WDigest UseLogonCredential Registry |
Modify Registry, OS Credential Dumping |
TTP |
| Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Hide User Account From Sign-In Screen |
Disable or Modify Tools, Impair Defenses |
TTP |
| Modification Of Wallpaper |
Defacement |
TTP |
| Monitor Registry Keys for Print Monitors |
Port Monitors, Boot or Logon Autostart Execution |
TTP |
| Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection, Event Triggered Execution |
TTP |
| Registry Keys for Creating SHIM Databases |
Application Shimming, Event Triggered Execution |
TTP |
| Remcos client registry install entry |
Modify Registry |
TTP |
| Revil Registry Entry |
Modify Registry |
TTP |
| Screensaver Event Trigger Execution |
Event Triggered Execution, Screensaver |
TTP |
| Sdclt UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| SilentCleanup UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Time Provider Persistence Registry |
Time Providers, Boot or Logon Autostart Execution |
TTP |
| WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Windows AD DSRM Account Changes |
Account Manipulation |
TTP |
| Windows Autostart Execution LSASS Driver Registry Modification |
LSASS Driver |
TTP |
| Windows Disable Lock Workstation Feature Through Registry |
Modify Registry |
Anomaly |
| Windows Disable LogOff Button Through Registry |
Modify Registry |
Anomaly |
| Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
| Windows Disable Notification Center |
Modify Registry |
Anomaly |
| Windows Disable Shutdown Button Through Registry |
Modify Registry |
Anomaly |
| Windows Disable Windows Group Policy Features Through Registry |
Modify Registry |
Anomaly |
| Windows DisableAntiSpyware Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows Hide Notification Features Through Registry |
Modify Registry |
Anomaly |
| Windows Impair Defense Delete Win Defender Context Menu |
Disable or Modify Tools, Impair Defenses |
Hunting |
| Windows Impair Defense Delete Win Defender Profile Registry |
Disable or Modify Tools, Impair Defenses |
Anomaly |
| Windows Impair Defenses Disable HVCI |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows Impair Defenses Disable Win Defender Auto Logging |
Disable or Modify Tools, Impair Defenses |
Anomaly |
| Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
| Windows Registry Certificate Added |
Install Root Certificate, Subvert Trust Controls |
Anomaly |
| Windows Registry Delete Task SD |
Scheduled Task, Impair Defenses |
Anomaly |
| Windows Registry Modification for Safe Mode Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Windows Service Creation Using Registry Entry |
Services Registry Permissions Weakness |
TTP |
Reference
source | version: 1