Windows Registry

Monitor for deletion of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Microsoft\AMSI\Providers.

Monitor windows registry keys that may be deleted or alter generated artifacts associated with persistence on a host system.

Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.^[16]* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.^[17][18]Analysts should monitor these Registry settings for unauthorized changes.

UAC Bypass is an interesting technique in that new implementations are regularly found and existing implementations may be fixed (i.e., patched) by Microsoft in new builds of Windows. Therefore, it is important to validate than detections for UAC Bypass are still relevant (i.e., they target non-patched implementations).

Note: Sysmon Event ID 12 (Registry Key Create/Delete), Sysmon Event ID 13 (Registry Value Set), and Sysmon Event ID 14 (Registry Key and Value Rename) are useful for creating detections around Registry Key Modification in the context of UAC Bypass.

Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. ^[5]

Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.

Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’

(source="WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*Common Startup")

Monitor the Registry for changes to the LSA Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. ^{[19] [20]}

Monitor for changes made to windows registry keys and/or values modifying W32Time information in the Registry.

Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. ^[5]

Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify

source="WinEventLog:Security" EventCode="4657" (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify") OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" (TargetObject="Userinit" OR TargetObject="Shell" OR TargetObject="*Notify")

Monitor the Registry for changes to the SSP Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. ^{[19] [20]}

Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism ^[5]

Monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver as they pertain to print processor installations.

Monitor Registry key modifications to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.^[5] Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.^[5]

Analytic 1 - Modification of the HKLM\System\CurrentControlSet\Services Registry key

(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode IN (13, 14) EventType= "SetValue" TargetObject="HKLM\System\CurrentControlSet\Services*" | where RegistryKeyPath LIKE "%ImagePath%" OR RegistryKeyPath LIKE "%Type%" OR RegistryKeyPath LIKE "%DisplayName%" OR RegistryKeyPath LIKE "%Objectname%"

Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. User file association preferences are stored under [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys.

Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Default screen saver files are stored in C:\Windows\System32. Use these files as a reference when defining list of not suspicious screen saver files.

Analytic 1 - Registry Edit from Screensaver

source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (13, 14) TargetObject="\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"

Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. ^[21]

Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.

Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc.

Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse.

Analytic 1 - AppInit DLLs

source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 13, 14) TargetObject= "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls*" OR TargetObject= "*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls*"

Monitor for changes to windows registry keys and/or values that may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.

Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc.

There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: Reg) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\Software\Classes\CLSID\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.^[22] Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated.

Analytic 1 - Component Object Model Hijacking

source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 13, 14) TargetObject= "\Software\Classes\CLSID*"

Monitor for changes made to windows registry key or values for unexpected modifications of the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList key.

Monitor for changes made to windows registry keys and/or values that may use a hidden file system to conceal malicious activity from users and security tools.

Monitor for changes made to Windows Registry keys and/or values that may be the result of using a virtual instance to avoid detection. For example, if virtualization software is installed by the adversary the Registry may provide detection opportunities.

Monitor for modifications of PATH environment variable Registry keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path. An adversary can add a new directory or list of directories before other locations where programs can be executed from.

Monitor for modification of Registry keys and values used by services such as HKLM\SYSTEM\CurrentControlSet\Services that may allow adversaries to launch their own code when a service starts.

For detecting system and user scope abuse of the COR_PROFILER variable, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools.

Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender.

Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer.^[6]

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. There are different ways to perform this attack.1. The first one is to create the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise).2. The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\start, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system.3. The third way is linked with the second. By default, the EventLog service cannot be stopped. If an attacker tries to stop the service, this one will restart immediately. Why ? Because to stop completely, this service must stop others, one in particular called netprofm (display name Network List Service). This service remains running until it is disabled. So Attacker must either disable EventLog and after to stop it or disable netprofm and after stop EventLog. Only stopping the service (even as admin) will not have an effect on the EventLog service because of the link with netprofm. Security EventLog 1100 will log the stop of the EventLog service (but also generates a lot of noise because it will generate a log everytime the system shutdown).4. The fourth way is to use auditpol.exe to modify the audit configuration and disable/modify important parameters that will lead to disable the creation of EventLog.5. The last one is to modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\file (or other kind of log) to modify the path where the EventLog are stocked. Importantly, with this technique, the EventViewer will use the value of the Registry Key "file" to know where to find the Log. Thus, using the EventViewer will always show the current event logs, but the old one will be stocked in another evtx. Also, the path must be in a folder that the Eventlog process has access (like it doesn’t work if attacker set up the new path in the Desktop). Attacker can also decrease the maxsize value of the Log to force the system to rewrite on the older EventLog (but the minimum cannot be less than 1028 KB). As the Registry key is modified, Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. All of these attacks required administrative right. Attacks number three, four and five do not require a system reboot to be effective immediately.

Analytic 1 - Disable Windows Event Logging

(source="WinEventLog:Security" EventCode IN (4657, 4719) OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13") (ObjectName="EventLog") (ObjectValueName="Start" OR ObjectValueName="File" OR ObjectValueName="MaxSize")

Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.

To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME{PROVIDER_GUID}

Monitor modifications to Registry data associated with enabling safe mode. For example, a service can be forced to start on safe mode boot by adding a * in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{Path}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.^[8][9]

Monitor for changes to Registry keys (ex: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default) and associated values that may be malicious attempts to conceal adversary network connection history.

Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts associated with persistence on a host system.

Monitor for changes made to windows registry keys or values for unexpected modifications

Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference.

Analytic 1 - Unauthorized modifications to Registry entries for password filters.

index=windows_logs sourcetype="WinEventLog:Security" (EventCode=4657 OR EventCode=4688)| search ( (TargetObject="\SYSTEM\CurrentControlSet\Control\Lsa\" AND ValueName="Notification Packages") OR (TargetObject="\SYSTEM\CurrentControlSet\Control\Lsa\" AND ValueName="Authentication Packages") OR (CommandLine="reg.exe" AND CommandLine="add" AND CommandLine="Lsa") )| eval Modification_Type=case( like(CommandLine, "%reg.exe% add%"), "Command Line Registry Edit", EventCode=4657, "Direct Registry Modification" )

Monitor for changes to Registry entries for network providers (e.g., HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order) and correlate then investigate the DLL files these values reference.

Collect events related to Registry key modification for keys that could be used for Office-based persistence.^[10][11]

Monitor for changes made to the Office Test Registry key. Collect events related to Registry key modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.^[12]

Audit the Registry entries relevant for enabling add-ins.^[13][14]

Enable the Registry Global Object Access Auditing ^[24] setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:^[25]* HKLM\SOFTWARE\Microsoft\Cryptography\OID* HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID* HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust* HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust

Note: As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using Regsvr32.^[26]

Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.^[26]

Monitoring changes to the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\ or HKCU\Policies\Microsoft\SystemCertificates\Root\Certificates\.

There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: ^[15]* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072

Consider monitoring for modifications made to Registry keys associated with code signing policies, such as HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing. Modifications to the code signing policy of a system are likely to be rare.

Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace and HKEY_CLASSES_ROOT\CLSID{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. ^[27]* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:\windows\system32\control.exe {Canonical_Name}", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).^[27]* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item.^[27]

Monitor for changes made to windows registry keys and/or values that may abuse the Windows service control manager to execute malicious commands or payloads.

Analytic 1 - Registry changes related to service execution.

sourcetype=WinEventLog:Security OR sourcetype=Sysmon EventCode=13 OR EventCode=4657| search registry_path IN ("HKLM\SYSTEM\CurrentControlSet\Services")| where registry_value != "legitimate_software_registry*" // Filter out common services