Windows.Events.SysmonRegistry

This artifact enables monitoring for registry events of interest via the Sysmon ETW proiver.

The artifact requires Sysmon installed collecting registry events 12,13 and 14.
It is also reccomended to run Windows.Events.TrackProcesses as this also includes a base level Sysmon install.

Monitoring is configured by a csv KeyRegex which has the following fields:

  • Regex - a regex to select registry key events of interest.
  • FilterRegex - a regex to filter out keys.
  • FilterProcess - a regex to filter out Image field - e.g C:\\Windows\\regedit\.exe$.
  • Details - a description of the Detection.
  • ATT&CK - a MITRE ATT&CK reference.

Note: This artifact may be impacted by your Sysmon configuration. Generally it is more efficient to filter at the kernel level via Sysmon configurtion.


name: Windows.Events.SysmonRegistry
author: Matt Green - @mgreen27
description: |
  This artifact enables monitoring for registry events of interest via the Sysmon 
  ETW proiver.
  
  The artifact requires Sysmon installed collecting registry events 12,13 and 14.  
  It is also reccomended to run Windows.Events.TrackProcesses as this also 
  includes a base level Sysmon install.
  
  Monitoring is configured by a csv KeyRegex which has the following fields:  
    * Regex - a regex to select registry key events of interest.  
    * FilterRegex - a regex to filter out keys.  
    * FilterProcess - a regex to filter out Image field - 
    e.g ```C:\\Windows\\regedit\.exe$```.  
    * Details - a description of the Detection.   
    * ATT&CK - a MITRE ATT&CK reference.  
    
  Note: This artifact may be impacted by your Sysmon configuration. 
  Generally it is more efficient to filter at the kernel level via Sysmon 
  configurtion.
  
type: CLIENT_EVENT

parameters:
  - name: KeyRegex
    type: csv
    default: |
        Regex,FilterRegex,FilterProcess,Details,ATT&CK
        CurrentVersion\\Run,,,"Windows: Wildcard for Run keys, including RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] ",T1060
        Policies\\Explorer\\Run,,,Windows: Alternate runs keys | Credit @ion-storm,T1060
        Group Policy\\Scripts,,,Windows: Group policy scripts,T1484
        Windows\\System\\Scripts,,,"Windows: Wildcard for Logon, Loggoff, Shutdown",T1484
        CurrentVersion\\Windows\\Load,,,Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ],T1060
        CurrentVersion\\Windows\\Run,,,Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ],T1060
        CurrentVersion\\Winlogon\\Shell,,,Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ],T1060
        CurrentVersion\\Winlogon\\System,,,Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ],T1060
        ^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify,,,Windows: Autorun location [ https://attack.mitre.org/wiki/Technique/T1004 ] [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ],
        ^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell,,,Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ],
        ^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit,,,Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ],
        ^HKLM\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32,,,Windows: Legacy driver loading | Credit @ion-storm ,
        ^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute,,,Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ],
        ^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug,,,Windows: Automatic program crash debug program [ https://www.symantec.com/security_response/writeup.jsp?docid=2007-050712-5453-99&tabid=2 ],
        UserInitMprLogonScript,,,Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ],
        user shell folders\\startup$,,,Monitor changes to Startup folder location for monitoring evasion | Credit @SBousseaden,T1112
        \\ServiceDll$,,,Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ],T1031|T1050
        \\ServiceManifest$,,,Windows: Manifest pointing to service's DLL [ https://www.geoffchappell.com/studies/windows/win32/services/svchost/index.htm ],T1031|T1050
        \\ImagePath$,,,Windows: Points to a service's EXE [ https://attack.mitre.org/wiki/Technique/T1050 ],T1031|T1050
        \\Start$,,,"Windows: Services start mode changes (Disabled, Automatically, Manual)",T1031|T1050
        Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber$,,,Windows: RDP port change under Control [ https://blog.menasec.net/2019/02/of-rdp-hijacking-part1-remote-desktop.html ],
        Control\\Terminal Server\\fSingleSessionPerUser$,,,"Windows: Allow same user to have mutliple RDP sessions, to hide from admin being impersonated",
        fDenyTSConnections$,,,Windows: Attacker turning on RDP,
        LastLoggedOnUser$,,,Windows: Changing last-logged in user,
        RDP-tcp\\PortNumber$,,,Windows: Changing RDP port to evade IDS,
        Services\\PortProxy\\v4tov4$,,,Windows: Changing RDP port to evade IDS,
        \\command\\,,,Windows: Sensitive sub-key under file associations and CLSID that map to launch command,T1042
        \\ddeexec\\,,,Windows: Sensitive sub-key under file associations and CLSID that map to launch command,T1122
        {86C86720-42A0-1069-A2E8-08002B30309D},,,Windows: Tooltip handler,T1122
        exefile,,,"Windows Executable handler, to log any changes not already monitored",T1042
        \\InprocServer32\\(Default)$,,,Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm,T1122
        \\Hidden$,,,"Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event ",T1158
        \\ShowSuperHidden$,,,"Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ]",T1158
        \\HideFileExt$,,,Windows:Explorer: Some malware hides file extensions to make diagnosis/disinfection more daunting to novice users ,T1158
        Classes\\*\\,,,Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] ,
        Classes\\AllFilesystemObjects\\,,,Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] ,
        Classes\\Directory\\,,,Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ],
        Classes\\Drive\\,,,Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ],
        Classes\\Folder\\,,,"Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ]",
        Classes\\PROTOCOLS\\,,,Windows:Explorer: Protocol handlers,
        ContextMenuHandlers\\,,,Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ],
        CurrentVersion\\Shell,,,"Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ]",
        ^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellExecuteHooks,,,Windows: ShellExecuteHooks,
        ^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellServiceObjectDelayLoad,,,Windows: ShellExecuteHooks,
        ^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellIconOverlayIdentifiers,,,Windows: ShellExecuteHooks,
        ^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\,,,Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ],
        ^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram,,,Windows:RDP: Note other Terminal Server run keys are handled by another wildcard already,
        ^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\,,,Windows: Group Policy internally uses a plug-in architecture that nothing should be modifying,T1484
        ^HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock,,,"Windows: Wildcard, includes Winsock and Winsock2",
        \\ProxyServer$,,,Windows: System and user proxy server,
        ^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider,,,"Wildcard, includes Credential Providers and Credential Provider Filters",
        ^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\,,,[ https://attack.mitre.org/wiki/Technique/T1131 ] [ https://attack.mitre.org/wiki/Technique/T1101 ],T1101
        ^HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SecurityProviders,,,Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ],
        ^HKLM\\Software\\Microsoft\\Netsh,,,Windows: Netsh helper DLL [ https://attack.mitre.org/wiki/Technique/T1128 ],
        Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable,,,Windows: Malware often disables a web proxy for 2nd stage downloads,
        ^HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\\,,,Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] ,
        \\EnableFirewall$,,,"Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ]",T1089
        \\DoNotAllowExceptions$,,,"Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ]",T1089
        ^HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List,,,Windows Firewall authorized applications for all networks| Credit @ion-storm ,
        ^HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List,,,Windows Firewall authorized applications for domain networks ,
        ^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\,,,Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ],T1103
        ^HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\,,,Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ],T1103
        ^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\\,,,Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] [ https://blog.comodo.com/malware/trojware-win32-trojanspy-volisk-a/ ],
        Microsoft\\Office\\Outlook\\Addins\\,,,"Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues",T1137
        Office Test\\,,,Microsoft:Office: Persistence method [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn,T1137
        Security\\Trusted Documents\\TrustRecords,,,"Microsoft:Office: Monitor when ""Enable editing"" or ""Enable macros"" is used | Credit @OutflankNL | [ https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ ]",
        Internet Explorer\\Toolbar\\,,,Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] ,T1176
        Internet Explorer\\Extensions\\,,,Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] ,T1176
        Browser Helper Objects\\,,,Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ],T1176
        ^HKLM\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\\,,,Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] ,
        ^HKLM\\Software\\Classes\\WOW6432Node\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\\,,,Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] ,
        ^HKLM\\Software\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\,,,Windows: DirectX instances,
        ^HKLM\\Software\\Classes\\WOW6432Node\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\,,,Windows: DirectX instances,
        \\UrlUpdateInfo$,,,Microsoft:ClickOnce: Source URL is stored in this value [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ],
        \\InstallSource$,,,Windows: Source folder for certain program and component installations,
        \\EulaAccepted$,,,Sysinternals tool launched. Lots of useful abilities for attackers ,
        \\DisableAntiSpyware$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
        \\DisableAntiVirus$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
        \\SpynetReporting$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
        DisableRealtimeMonitoring$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
        \\SubmitSamplesConsent$,,,Windows:Defender: State modified via registry,T1089|Tamper-Defender
        HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA$,,,Detect: UAC Tampering | Credit @ion-storm ,T1088
        HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy$,,,Detect: UAC Tampering | Credit @ion-storm ,T1088
        HKLM\\Software\\Microsoft\\Security Center\\$,,,[ https://attack.mitre.org/wiki/Technique/T1089 ],T1089|Tamper-SecCenter
        SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth$,,,Windows:Security Center: Malware sometimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ],T1089|Tamper-SecCenter
        ^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom,,,Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ],T1138
        ^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB,,,Windows: AppCompat [ https://attack.mitre.org/wiki/Technique/T1138 ],T1138
        VirtualStore,,,"Windows: Registry virtualization, something's wrong if it's in use [ https://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx ]",
        ^HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\,,,"Windows: Malware likes changing IFEO, like adding Debugger to disable antivirus EXE",T1183
        ^HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\,,,Windows: Event log system integrity and ACLs,
        ^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Safeboot\\,,,Windows: Services approved to load in safe mode. Almost nothing should ever modify this.,Tamper-Safemode
        ^HKLM\\SYSTEM\\CurrentControlSet\\Control\\Winlogon\\,,,Windows: Providers notified by WinLogon,Tamper-Winlogon
        ^HKLM\\Software\\Microsoft\\Tracing\\RASAPI32,,,Windows: Malware sometimes disables tracing to obfuscate tracks,Tamper-Tracing
        \\{CAFEEFAC-,,,Java Registry,
        

sources:
  - query: |
      -- firstly generate initial regex to apply to events
      LET target_entries = join(array=KeyRegex.Regex,sep='|')
      
      -- Monitor ETW provider and extract target key event by regex
      LET hits = SELECT 
            EventData.UtcTime as EventTime,
            System.ID as EventId,
            EventData.EventType as EventType,
            EventData.TargetObject as TargetObject,
            EventData.Details as Value,
            dict(Image=EventData.Image,User=EventData.User,ProcessId=EventData.ProcessId,ProcessGuid=EventData.ProcessGuid) as ProcessInfo,
            EventData.Image as _Image
        FROM watch_etw(guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}")
        WHERE System.ID in ( 12, 13, 14 )
            AND TargetObject =~ target_entries

      -- apply additional filters and add context.
      SELECT *, process_tracker_callchain(id=ProcessInfo.ProcessId).Data as ProcessChain
      FROM foreach(row=hits, query={
          SELECT EventTime,EventId,EventType,TargetObject,Value,ProcessInfo,
            dict(Regex=Regex,FilterRegex=FilterRegex,FilterProcess=FilterProcess,Details=Details,`ATT&CK`=`ATT&CK`) as Detection
          FROM KeyRegex
          WHERE TargetObject =~ Regex
            AND NOT if(condition= FilterProcess,
                        then= _Image =~ FilterProcess,
                        else= False)
            AND NOT if(condition= FilterRegex,
                        then= TargetObject =~ FilterRegex,
                        else= False)
      })