Persistence via WMI Standard Registry Provider

edit

Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 101 (version history)

Added (Elastic Stack release): 7.13.0

Last modified (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
registry where registry.data.strings != null and process.name :
"WmiPrvSe.exe" and registry.path : (
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
urrentVersion\\Policies\\Explorer\\Run\\*", "HKLM\\S
oftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\
*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
urrentVersion\\RunOnceEx\\*",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell\\*",
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Load",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell", "HKEY_USERS\\*
\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shel
l", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\W
indows\\System\\Scripts\\Logoff\\Script", "HKEY_USER
S\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\
Script", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microso
ft\\Windows\\System\\Scripts\\Shutdown\\Script", "HK
EY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\
Startup\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Exec",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun"
)

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 101 (8.6.0 release)
  • Formatting only
Version 100 (8.5.0 release)
  • Updated query, changed from:

    registry where registry.data.strings != null and process.name :
    "WmiPrvSe.exe" and registry.path : (
    "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
    "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
    "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\
    \*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
    urrentVersion\\Policies\\Explorer\\Run\\*", "HKLM\\S
    oftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\
    *",
    "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
    "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
    "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
    \*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
    urrentVersion\\RunOnceEx\\*",
    "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL",
    "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
    "HKEY_USERS\\*\\Software\\Microsoft\\Windows
    NT\\CurrentVersion\\Winlogon\\Shell\\*",
    "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript",
    "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
    NT\\CurrentVersion\\Windows\\Load",
    "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
    NT\\CurrentVersion\\Winlogon\\Shell", "HKEY_USERS\\
    *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\She
    ll", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\
    \Windows\\System\\Scripts\\Logoff\\Script", "HKEY_U
    SERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logo
    n\\Script", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Mic
    rosoft\\Windows\\System\\Scripts\\Shutdown\\Script",
    "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Script
    s\\Startup\\Script",
    "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
    "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
    Explorer\\Extensions\\*\\Exec",
    "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
    Explorer\\Extensions\\*\\Script",
    "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun"
    )
Version 3 (8.4.0 release)
  • Formatting only
Version 2 (8.1.0 release)
  • Formatting only