Uncommon Registry Persistence Change | Elastic Security Solution [8.5]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Unauthorized Access to an Okta Application Unexpected Child Process of macOS Screensaver Engine »

Uncommon Registry Persistence Changeedit

Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary’s attempt to persist in a stealthy manner.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2

Tags:

Elastic
Host
Windows
Threat Detection
Persistence

Version: 100 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

registry where /* uncomment once stable
length(registry.data.strings) > 0 and */ registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Serve
r\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Serve
r\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Load",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Run",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\IconServiceLib",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\AppSetup",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Taskman",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Userinit",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\VmApplet", "HKLM\\SOFTWARE\\Micros
oft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", "HKLM
\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shel
l", "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scrip
ts\\Logoff\\Script", "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windo
ws\\System\\Scripts\\Logon\\Script", "HKLM\\SOFTWARE\\Policies\\
Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", "HKLM\\S
OFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Scrip
t", "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion
\\Policies\\Explorer\\Run\\*", "HKEY_USERS\\*\\SOFTWARE\\Microso
ft\\Windows\\CurrentVersion\\Policies\\System\\Shell", "HKEY_USE
RS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff
\\Script", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Window
s\\System\\Scripts\\Logon\\Script", "HKEY_USERS\\*\\SOFTWARE\\Po
licies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Script
s\\Startup\\Script", "HKLM\\SOFTWARE\\Microsoft\\Active
Setup\\Installed Components\\*\\ShellComponent",
"HKLM\\SOFTWARE\\Microsoft\\Windows CE
Services\\AutoStartOnConnect\\MicrosoftActiveSync",
"HKLM\\SOFTWARE\\Microsoft\\Windows CE
Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
"HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
"HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Exec",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File
Execution Options\\*\\VerifierDlls",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
"HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal
Server\\Wds\\rdpwd\\StartupPrograms",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal
Server\\WinStations\\RDP-Tcp\\InitialProgram",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session
Manager\\S0InitialCommand",
"HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
"HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePat
h", "HKLM\\SYSTEM\\Setup\\CmdLine",
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and not
registry.data.strings : ("C:\\Windows\\system32\\userinit.exe",
"cmd.exe", "C:\\Program Files (x86)\\*.exe",
"C:\\Program Files\\*.exe") and not (process.name : "rundll32.exe"
and registry.path : "*\\Software\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script") and not process.executable :
("C:\\Windows\\System32\\msiexec.exe",
"C:\\Windows\\SysWOW64\\msiexec.exe",
"C:\\ProgramData\\Microsoft\\Windows
Defender\\Platform\\*\\MsMpEng.exe",
"C:\\Program Files\\*.exe", "C:\\Program
Files (x86)\\*.exe")

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Modify Registry
- ID: T1112
- Reference URL: https://attack.mitre.org/techniques/T1112/

Rule version historyedit

Version 100 (8.5.0 release)

Updated query, changed from:

registry where /* uncomment once stable
length(registry.data.strings) > 0 and */ registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Serve
r\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Serve
r\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Load",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Run",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\IconServiceLib",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\AppSetup",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Taskman",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Userinit",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\VmApplet", "HKLM\\SOFTWARE\\Micros
oft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", "HKLM
\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shel
l", "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scrip
ts\\Logoff\\Script", "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windo
ws\\System\\Scripts\\Logon\\Script", "HKLM\\SOFTWARE\\Policies\\
Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", "HKLM\\S
OFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Scrip
t", "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion
\\Policies\\Explorer\\Run\\*", "HKEY_USERS\\*\\SOFTWARE\\Microso
ft\\Windows\\CurrentVersion\\Policies\\System\\Shell", "HKEY_USE
RS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff
\\Script", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Window
s\\System\\Scripts\\Logon\\Script", "HKEY_USERS\\*\\SOFTWARE\\Po
licies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Script
s\\Startup\\Script", "HKLM\\SOFTWARE\\Microsoft\\Active
Setup\\Installed Components\\*\\ShellComponent",
"HKLM\\SOFTWARE\\Microsoft\\Windows CE
Services\\AutoStartOnConnect\\MicrosoftActiveSync",
"HKLM\\SOFTWARE\\Microsoft\\Windows CE
Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
"HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
"HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Exec",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File
Execution Options\\*\\VerifierDlls",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
"HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal
Server\\Wds\\rdpwd\\StartupPrograms",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal
Server\\WinStations\\RDP-Tcp\\InitialProgram",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session
Manager\\S0InitialCommand",
"HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
"HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePat
h", "HKLM\\SYSTEM\\Setup\\CmdLine",
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and not
registry.data.strings : ("C:\\Windows\\system32\\userinit.exe",
"cmd.exe", "C:\\Program Files (x86)\\*.exe",
"C:\\Program Files\\*.exe") and not (process.name : "rundll32.exe"
and registry.path : "*\\Software\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script") and not process.executable :
("C:\\Windows\\System32\\msiexec.exe",
"C:\\Windows\\SysWOW64\\msiexec.exe",
"C:\\ProgramData\\Microsoft\\Windows
Defender\\Platform\\*\\MsMpEng.exe",
"C:\\Program Files\\*.exe", "C:\\Program
Files (x86)\\*.exe")

Version 10 (8.4.0 release)

Formatting only

Version 9 (8.3.0 release)

Formatting only

Version 7 (8.2.0 release)

Formatting only

Version 5 (8.1.0 release)

Formatting only

Version 4 (7.16.0 release)

Formatting only

Version 3 (7.12.0 release)

Formatting only

Version 2 (7.11.2 release)

Formatting only

« Unauthorized Access to an Okta Application Unexpected Child Process of macOS Screensaver Engine »