Uncommon Registry Persistence Change

edit

Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary’s attempt to persist in a stealthy manner.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit
registry where /* uncomment once stable
length(registry.data.strings) > 0 and */ registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Serve
r\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Serve
r\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Load",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Run",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\IconServiceLib",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\AppSetup",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Taskman",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Userinit",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\VmApplet", "HKLM\\SOFTWARE\\Micros
oft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", "HKLM
\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shel
l", "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scrip
ts\\Logoff\\Script", "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windo
ws\\System\\Scripts\\Logon\\Script", "HKLM\\SOFTWARE\\Policies\\
Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", "HKLM\\S
OFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Scrip
t", "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion
\\Policies\\Explorer\\Run\\*", "HKEY_USERS\\*\\SOFTWARE\\Microso
ft\\Windows\\CurrentVersion\\Policies\\System\\Shell", "HKEY_USE
RS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff
\\Script", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Window
s\\System\\Scripts\\Logon\\Script", "HKEY_USERS\\*\\SOFTWARE\\Po
licies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Script
s\\Startup\\Script", "HKLM\\SOFTWARE\\Microsoft\\Active
Setup\\Installed Components\\*\\ShellComponent",
"HKLM\\SOFTWARE\\Microsoft\\Windows CE
Services\\AutoStartOnConnect\\MicrosoftActiveSync",
"HKLM\\SOFTWARE\\Microsoft\\Windows CE
Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
"HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
"HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Exec",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File
Execution Options\\*\\VerifierDlls",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
"HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal
Server\\Wds\\rdpwd\\StartupPrograms",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal
Server\\WinStations\\RDP-Tcp\\InitialProgram",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session
Manager\\S0InitialCommand",
"HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
"HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePat
h", "HKLM\\SYSTEM\\Setup\\CmdLine",
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and not
registry.data.strings : ("C:\\Windows\\system32\\userinit.exe",
"cmd.exe", "C:\\Program Files (x86)\\*.exe",
"C:\\Program Files\\*.exe") and not (process.name : "rundll32.exe"
and registry.path : "*\\Software\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script") and not process.executable :
("C:\\Windows\\System32\\msiexec.exe",
"C:\\Windows\\SysWOW64\\msiexec.exe",
"C:\\ProgramData\\Microsoft\\Windows
Defender\\Platform\\*\\MsMpEng.exe",
"C:\\Program Files\\*.exe", "C:\\Program
Files (x86)\\*.exe")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 2 (7.11.2 release)
  • Formatting only