Ruben Groenewoud
3bfe3060a2
* [Rule Tuning] Uncommon Registry Persistence Change * updated updated_date --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
124 lines
6.5 KiB
TOML
124 lines
6.5 KiB
TOML
[metadata]
|
|
creation_date = "2020/11/18"
|
|
integration = ["endpoint"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/03/20"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could
|
|
be an indication of an adversary's attempt to persist in a stealthy manner.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Uncommon Registry Persistence Change"
|
|
references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"]
|
|
risk_score = 47
|
|
rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
|
|
timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
|
|
timeline_title = "Comprehensive Registry Timeline"
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
registry where host.os.type == "windows" and
|
|
/* uncomment once stable length(registry.data.strings) > 0 and */
|
|
registry.path : (
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
|
|
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
|
|
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
|
|
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
|
|
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*\\ShellComponent",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\MicrosoftActiveSync",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
|
|
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
|
|
"HKEY_USERS\\*\\Control Panel\\Desktop\\scrnsave.exe",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\VerifierDlls",
|
|
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
|
|
"HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
|
|
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms",
|
|
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram",
|
|
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
|
|
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
|
|
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
|
|
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand",
|
|
"HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
|
|
"HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath",
|
|
"HKLM\\SYSTEM\\Setup\\CmdLine",
|
|
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and
|
|
|
|
not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe",
|
|
"C:\\Program Files\\*.exe") and
|
|
not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and
|
|
not process.executable : ("C:\\Windows\\System32\\msiexec.exe",
|
|
"C:\\Windows\\SysWOW64\\msiexec.exe",
|
|
"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
|
|
"C:\\Program Files\\*.exe",
|
|
"C:\\Program Files (x86)\\*.exe")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1547"
|
|
name = "Boot or Logon Autostart Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1547/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1547.001"
|
|
name = "Registry Run Keys / Startup Folder"
|
|
reference = "https://attack.mitre.org/techniques/T1547/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1112"
|
|
name = "Modify Registry"
|
|
reference = "https://attack.mitre.org/techniques/T1112/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0005"
|
|
name = "Defense Evasion"
|
|
reference = "https://attack.mitre.org/tactics/TA0005/"
|
|
|