This artifact enables monitoring for registry events of interest via the Sysmon ETW proiver.
The artifact requires Sysmon installed collecting registry events 12,13 and 14.
It is also reccomended to run Windows.Events.TrackProcesses as this also
includes a base level Sysmon install.
Monitoring is configured by a csv KeyRegex which has the following fields:
C:\\Windows\\regedit\.exe$
.Note: This artifact may be impacted by your Sysmon configuration. Generally it is more efficient to filter at the kernel level via Sysmon configurtion.
name: Windows.Events.SysmonRegistry
author: Matt Green - @mgreen27
description: |
This artifact enables monitoring for registry events of interest via the Sysmon
ETW proiver.
The artifact requires Sysmon installed collecting registry events 12,13 and 14.
It is also reccomended to run Windows.Events.TrackProcesses as this also
includes a base level Sysmon install.
Monitoring is configured by a csv KeyRegex which has the following fields:
* Regex - a regex to select registry key events of interest.
* FilterRegex - a regex to filter out keys.
* FilterProcess - a regex to filter out Image field -
e.g ```C:\\Windows\\regedit\.exe$```.
* Details - a description of the Detection.
* ATT&CK - a MITRE ATT&CK reference.
Note: This artifact may be impacted by your Sysmon configuration.
Generally it is more efficient to filter at the kernel level via Sysmon
configurtion.
type: CLIENT_EVENT
parameters:
- name: KeyRegex
type: csv
default: |
Regex,FilterRegex,FilterProcess,Details,ATT&CK
CurrentVersion\\Run,,,"Windows: Wildcard for Run keys, including RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] ",T1060
Policies\\Explorer\\Run,,,Windows: Alternate runs keys | Credit @ion-storm,T1060
Group Policy\\Scripts,,,Windows: Group policy scripts,T1484
Windows\\System\\Scripts,,,"Windows: Wildcard for Logon, Loggoff, Shutdown",T1484
CurrentVersion\\Windows\\Load,,,Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ],T1060
CurrentVersion\\Windows\\Run,,,Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ],T1060
CurrentVersion\\Winlogon\\Shell,,,Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ],T1060
CurrentVersion\\Winlogon\\System,,,Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ],T1060
^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify,,,Windows: Autorun location [ https://attack.mitre.org/wiki/Technique/T1004 ] [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ],
^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell,,,Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ],
^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit,,,Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ],
^HKLM\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32,,,Windows: Legacy driver loading | Credit @ion-storm ,
^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute,,,Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ],
^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug,,,Windows: Automatic program crash debug program [ https://www.symantec.com/security_response/writeup.jsp?docid=2007-050712-5453-99&tabid=2 ],
UserInitMprLogonScript,,,Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ],
user shell folders\\startup$,,,Monitor changes to Startup folder location for monitoring evasion | Credit @SBousseaden,T1112
\\ServiceDll$,,,Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ],T1031|T1050
\\ServiceManifest$,,,Windows: Manifest pointing to service's DLL [ https://www.geoffchappell.com/studies/windows/win32/services/svchost/index.htm ],T1031|T1050
\\ImagePath$,,,Windows: Points to a service's EXE [ https://attack.mitre.org/wiki/Technique/T1050 ],T1031|T1050
\\Start$,,,"Windows: Services start mode changes (Disabled, Automatically, Manual)",T1031|T1050
Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber$,,,Windows: RDP port change under Control [ https://blog.menasec.net/2019/02/of-rdp-hijacking-part1-remote-desktop.html ],
Control\\Terminal Server\\fSingleSessionPerUser$,,,"Windows: Allow same user to have mutliple RDP sessions, to hide from admin being impersonated",
fDenyTSConnections$,,,Windows: Attacker turning on RDP,
LastLoggedOnUser$,,,Windows: Changing last-logged in user,
RDP-tcp\\PortNumber$,,,Windows: Changing RDP port to evade IDS,
Services\\PortProxy\\v4tov4$,,,Windows: Changing RDP port to evade IDS,
\\command\\,,,Windows: Sensitive sub-key under file associations and CLSID that map to launch command,T1042
\\ddeexec\\,,,Windows: Sensitive sub-key under file associations and CLSID that map to launch command,T1122
{86C86720-42A0-1069-A2E8-08002B30309D},,,Windows: Tooltip handler,T1122
exefile,,,"Windows Executable handler, to log any changes not already monitored",T1042
\\InprocServer32\\(Default)$,,,Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm,T1122
\\Hidden$,,,"Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event ",T1158
\\ShowSuperHidden$,,,"Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ]",T1158
\\HideFileExt$,,,Windows:Explorer: Some malware hides file extensions to make diagnosis/disinfection more daunting to novice users ,T1158
Classes\\*\\,,,Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] ,
Classes\\AllFilesystemObjects\\,,,Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] ,
Classes\\Directory\\,,,Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ],
Classes\\Drive\\,,,Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ],
Classes\\Folder\\,,,"Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ]",
Classes\\PROTOCOLS\\,,,Windows:Explorer: Protocol handlers,
ContextMenuHandlers\\,,,Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ],
CurrentVersion\\Shell,,,"Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ]",
^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellExecuteHooks,,,Windows: ShellExecuteHooks,
^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellServiceObjectDelayLoad,,,Windows: ShellExecuteHooks,
^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellIconOverlayIdentifiers,,,Windows: ShellExecuteHooks,
^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\,,,Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ],
^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram,,,Windows:RDP: Note other Terminal Server run keys are handled by another wildcard already,
^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\,,,Windows: Group Policy internally uses a plug-in architecture that nothing should be modifying,T1484
^HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock,,,"Windows: Wildcard, includes Winsock and Winsock2",
\\ProxyServer$,,,Windows: System and user proxy server,
^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider,,,"Wildcard, includes Credential Providers and Credential Provider Filters",
^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\,,,[ https://attack.mitre.org/wiki/Technique/T1131 ] [ https://attack.mitre.org/wiki/Technique/T1101 ],T1101
^HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SecurityProviders,,,Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ],
^HKLM\\Software\\Microsoft\\Netsh,,,Windows: Netsh helper DLL [ https://attack.mitre.org/wiki/Technique/T1128 ],
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable,,,Windows: Malware often disables a web proxy for 2nd stage downloads,
^HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\\,,,Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] ,
\\EnableFirewall$,,,"Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ]",T1089
\\DoNotAllowExceptions$,,,"Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ]",T1089
^HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List,,,Windows Firewall authorized applications for all networks| Credit @ion-storm ,
^HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List,,,Windows Firewall authorized applications for domain networks ,
^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\,,,Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ],T1103
^HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\,,,Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ],T1103
^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\\,,,Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] [ https://blog.comodo.com/malware/trojware-win32-trojanspy-volisk-a/ ],
Microsoft\\Office\\Outlook\\Addins\\,,,"Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues",T1137
Office Test\\,,,Microsoft:Office: Persistence method [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn,T1137
Security\\Trusted Documents\\TrustRecords,,,"Microsoft:Office: Monitor when ""Enable editing"" or ""Enable macros"" is used | Credit @OutflankNL | [ https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ ]",
Internet Explorer\\Toolbar\\,,,Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] ,T1176
Internet Explorer\\Extensions\\,,,Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] ,T1176
Browser Helper Objects\\,,,Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ],T1176
^HKLM\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\\,,,Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] ,
^HKLM\\Software\\Classes\\WOW6432Node\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\\,,,Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] ,
^HKLM\\Software\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\,,,Windows: DirectX instances,
^HKLM\\Software\\Classes\\WOW6432Node\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\,,,Windows: DirectX instances,
\\UrlUpdateInfo$,,,Microsoft:ClickOnce: Source URL is stored in this value [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ],
\\InstallSource$,,,Windows: Source folder for certain program and component installations,
\\EulaAccepted$,,,Sysinternals tool launched. Lots of useful abilities for attackers ,
\\DisableAntiSpyware$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
\\DisableAntiVirus$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
\\SpynetReporting$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
DisableRealtimeMonitoring$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
\\SubmitSamplesConsent$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA$,,,Detect: UAC Tampering | Credit @ion-storm ,T1088
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy$,,,Detect: UAC Tampering | Credit @ion-storm ,T1088
HKLM\\Software\\Microsoft\\Security Center\\$,,,[ https://attack.mitre.org/wiki/Technique/T1089 ],T1089|Tamper-SecCenter
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth$,,,Windows:Security Center: Malware sometimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ],T1089|Tamper-SecCenter
^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom,,,Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ],T1138
^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB,,,Windows: AppCompat [ https://attack.mitre.org/wiki/Technique/T1138 ],T1138
VirtualStore,,,"Windows: Registry virtualization, something's wrong if it's in use [ https://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx ]",
^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\,,,"Windows: Malware likes changing IFEO, like adding Debugger to disable antivirus EXE",T1183
^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\,,,Windows: Event log system integrity and ACLs,
^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Safeboot\\,,,Windows: Services approved to load in safe mode. Almost nothing should ever modify this.,Tamper-Safemode
^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Winlogon\\,,,Windows: Providers notified by WinLogon,Tamper-Winlogon
^HKLM\\Software\\Microsoft\\Tracing\\RASAPI32,,,Windows: Malware sometimes disables tracing to obfuscate tracks,Tamper-Tracing
\\{CAFEEFAC-,,,Java Registry,
sources:
- query: |
-- firstly generate initial regex to apply to events
LET target_entries = join(array=KeyRegex.Regex,sep='|')
-- Monitor ETW provider and extract target key event by regex
LET hits = SELECT
EventData.UtcTime as EventTime,
System.ID as EventId,
EventData.EventType as EventType,
EventData.TargetObject as TargetObject,
EventData.Details as Value,
dict(Image=EventData.Image,User=EventData.User,ProcessId=EventData.ProcessId,ProcessGuid=EventData.ProcessGuid) as ProcessInfo,
EventData.Image as _Image
FROM watch_etw(guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}")
WHERE System.ID in ( 12, 13, 14 )
AND TargetObject =~ target_entries
-- apply additional filters and add context.
SELECT *, process_tracker_callchain(id=ProcessInfo.ProcessId).Data as ProcessChain
FROM foreach(row=hits, query={
SELECT EventTime,EventId,EventType,TargetObject,Value,ProcessInfo,
dict(Regex=Regex,FilterRegex=FilterRegex,FilterProcess=FilterProcess,Details=Details,`ATT&CK`=`ATT&CK`) as Detection
FROM KeyRegex
WHERE TargetObject =~ Regex
AND NOT if(condition= FilterProcess,
then= _Image =~ FilterProcess,
else= False)
AND NOT if(condition= FilterRegex,
then= TargetObject =~ FilterRegex,
else= False)
})