This artifact detects registry changes and triggers an alert.
name: Windows.Detection.Registry
description: |
This artifact detects registry changes and triggers an alert.
author: Jos Clephas - @DfirJos
type: CLIENT_EVENT
precondition:
SELECT * FROM info() WHERE OS =~ "windows"
parameters:
- name: Period
type: int
default: 120
- name: RegistryPath
default: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*
- name: RegistryData
type: regex
default: .
- name: AlertName
default: "T1112 - Suspicious registry key modification"
- name: diff
default: added
- name: CertificateInfo
default: N
type: bool
- name: regex_IssuerName
default: .
- name: UntrustedAuthenticode
description: Show only Executables that are not trusted by Authenticode.
type: bool
default: N
- name: Calculate_hashes
default: N
type: bool
- name: regex_sha256
default: .
- name: DISABLE_DANGEROUS_API_CALLS
type: bool
description: |
Enable this to disable potentially flakey APIs which may cause
crashes.
sources:
- query: |
LET query_registry = SELECT *, OSPath.String + Data.value AS FullPath,
expand(path=Data.value) AS Datavalue
FROM glob(globs=RegistryPath, accessor="registry") WHERE Data.value =~ RegistryData
LET query_diff = SELECT *, commandline_split(command=Datavalue) as AbsolutePath
FROM diff(query=query_registry, period=Period, key="FullPath")
WHERE Diff = diff
SELECT *,
alert(name=AlertName, Key=OSPath, Value=Datavalue, RegistryValue=Diff) as AlertSent,
if(condition=Calculate_hashes,
then=hash(path=AbsolutePath[0], accessor="auto")) AS Hash,
if(condition=CertificateInfo,
then=authenticode(filename=AbsolutePath[0])) AS Certinfo
FROM query_diff
WHERE Diff = diff
AND Hash.SHA256 =~ regex_sha256
AND Certinfo.IssuerName=~regex_IssuerName
AND NOT if(condition= UntrustedAuthenticode,
then= Certinfo.Trusted = 'trusted',
else= False )