Persistence via WMI Standard Registry Provider | Elastic Security Solution [8.8]

› › ›

« Persistence via WMI Event Subscription Persistent Scripts in the Startup Directory »

Persistence via WMI Standard Registry Provideredit

Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
Windows
Threat Detection
Persistence

Version: 101 (version history)

Added (Elastic Stack release): 7.13.0

Last modified (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

registry where registry.data.strings != null and process.name :
"WmiPrvSe.exe" and registry.path : (
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
urrentVersion\\Policies\\Explorer\\Run\\*", "HKLM\\S
oftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\
*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
urrentVersion\\RunOnceEx\\*",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell\\*",
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Load",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell", "HKEY_USERS\\*
\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shel
l", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\W
indows\\System\\Scripts\\Logoff\\Script", "HKEY_USER
S\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\
Script", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microso
ft\\Windows\\System\\Scripts\\Shutdown\\Script", "HK
EY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\
Startup\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Exec",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun"
)

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Windows Management Instrumentation
- ID: T1047
- Reference URL: https://attack.mitre.org/techniques/T1047/

Rule version historyedit

Version 101 (8.6.0 release)

Formatting only

Version 100 (8.5.0 release)

Updated query, changed from:

registry where registry.data.strings != null and process.name :
"WmiPrvSe.exe" and registry.path : (
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
urrentVersion\\Policies\\Explorer\\Run\\*", "HKLM\\S
oftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\
*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
urrentVersion\\RunOnceEx\\*",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell\\*",
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Load",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell", "HKEY_USERS\\
*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\She
ll", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\
\Windows\\System\\Scripts\\Logoff\\Script", "HKEY_U
SERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logo
n\\Script", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Mic
rosoft\\Windows\\System\\Scripts\\Shutdown\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Script
s\\Startup\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Exec",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun"
)

Version 3 (8.4.0 release)

Formatting only

Version 2 (8.1.0 release)

Formatting only

« Persistence via WMI Event Subscription Persistent Scripts in the Startup Directory »