This micro emulation plan targets the data source DS0024 Windows Registry. The Registry is a hierarchical database used by Windows to store critical data for the OS as well as applications/services. The Registry is organized in a tree structure, where nodes are keys made up of subkeys with corresponding data entries called values. Abuse of the Registry spans numerous diverse adversary behaviors, including tampering with system settings to enable Persistence or Privilege Escalation as well as hiding payloads or other operational information.
You can access the binary for this micro plan as part of the latest release.
Table Of Contents:
What are we doing? This module provides an easy-to-execute tool for creating, populating, and modifying data in the registry. The module supports 3 variants for performing Registry actions:
- API variant: leverages various functions provided by the .NET
Microsoft.Win32
Namespace - Reg.exe variant: leverges various commands provided by the reg utility
- Powershell.exe variant: leverages various cmdlets provided by PowerShell
All three variants follow the same execution flow:
- Create a new local Registry key (
HKEY_CURRENT_USER\CTID
) - Populate a new subkey (
CTID
subkey with a value derived from{username_timestamp}
) - Update the subkey value (Base64 encoded representation of same
{username_timestamp}
value) - Delete the key and subkey
Why should you care? The data in the Registry controls many OS and application settings and is thus associated with a broad range of adversary behaviors. Most commonly, adversaries manipulate Registry data in order to enable Persistent and/or Privileged access to victim systems (e.g. T1547.001 Registry Run Keys / Startup Folder).
Adversaries may also use the Registry to store and/or conceal operational data such as malware configurations/payloads or collected data prior to exfiltration (T1074.001 Local Data Staging). Adversaries have also used evasion tricks, such as encoding/encryption obfuscation (T1027 Obfuscated Files or Information) and naming intended to blend into the victim environment (T1036.005 Match Legitimate Name or Location) to conceal these changes.
Along with the settings for applications and services, the registry also stores sensitive information such as credentials stored by the OS (e.g. T1003.002 Security Account Manager) or user applications (T1552.002 Credentials in Registry).
The following image highlights ATT&CK v11 techniques that can potentially be detected by monitoring changes to registry data.
This module has been compiled into an easy-to-execute tool. The source
code for this module is also provided if you wish to
customize and rebuild. The windowsRegistry.exe
tool executes the complete
emulation functionality. It accepts a single argument that selects the execution
variant (see above).
Sysmon generates event IDs 12-14 when Registry objects are created/deleted or a value is set and/or renamed. These, and similar events, can be used to both baseline typical registry operations (i.e. those associated with known software) as well a create analytic logic to match on potentially malicious operations.
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include">
<TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">\mscfile\shell\open\command</TargetObject>
<TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">ms-settings\shell\open\command</TargetObject>
<TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> <!-- Credit cyb3rop -->
</RegistryEvent>
</RuleGroup>
Excerpted from github.com/olafhartong/sysmon-modular.
You can use the Windows Registry
Editor
(regedit.exe
) as well as command-line utilities (such as reg.exe
and
PowerShell
) to browse the Registry. Monitoring usage of these utilities may
also highlight malicious activity/abuse.
Monitoring and/or alerting on all Registry operations may introduce false positives and alert fatigue. For this reason, it may be advantageous to baseline an environment (e.g. which Registry subkeys/values exist, and what processes typically create/modify these values?) to provide better context during triage/deeper analysis of potentially malicious telemetry. Analytics can however be used to monitor changes to commonly abused subkeys, as well as those identified by your organization as being higher-priority.
M1024 Restrict Registry Permissions can be used to protect specific Registry keys from being modified by unauthorized users. The Registry also maintains permission settings that can be maintained at on object-level.