Analytics Story: Suspicious Windows Registry Activities

Date: 2018-05-31 ID: 2b1800dd-92f9-47dd-a981-fdf1351e5d55 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.

Why it matters

Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification. The registry is a key component of the Windows operating system. It has a hierarchical database called "registry" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment. The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Disable UAC Remote Restriction Bypass User Account Control TTP
Disabling Remote User Account Control Bypass User Account Control TTP
Monitor Registry Keys for Print Monitors Port Monitors TTP
Registry Keys for Creating SHIM Databases Application Shimming TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection TTP
Windows Mshta Execution In Registry Mshta TTP
Windows Outlook WebView Registry Modification Modify Registry Anomaly
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 1