Persistence via WMI Standard Registry Provider

edit

Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*
  • winlogbeat-*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.13.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
registry where registry.data.strings != null and process.name :
"WmiPrvSe.exe" and registry.path : (
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
urrentVersion\\Policies\\Explorer\\Run\\*", "HKLM\\S
oftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\
*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
urrentVersion\\RunOnceEx\\*",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell\\*",
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Load",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell", "HKEY_USERS\\
*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\She
ll", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\
\Windows\\System\\Scripts\\Logoff\\Script", "HKEY_U
SERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logo
n\\Script", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Mic
rosoft\\Windows\\System\\Scripts\\Shutdown\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Script
s\\Startup\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Exec",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun"
)

Threat mapping

edit

Framework: MITRE ATT&CKTM