Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security. Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:
During Operation Wocao, the threat actors executed
Pillowmint has used shellcode which reads code stored in the registry keys
Proxysvc gathers product names from the Registry key:
SILENTTRINITY can use the
Turla surveys a system upon check-in to discover information in the Windows Registry with the
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Note: For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management. The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The the Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.
Analytic 1 - Suspicious Commands
|DS0009||Process||OS API Execution||
Monitor for API calls (such as
Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls.
Analytic 1 - Suspicious API Calls
Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.
Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR).
Analytic 1 - Suspicious Processes with Registry keys
Analytic 2 - reg.exe spawned from suspicious cmd.exe
cmd_processes = filter command_line where (event_id == "1" OR event_id == "4688") AND (ProcessFilePath LIKE '%cmd.exe%' AND ProcessParentFilePath NOT LIKE '%explorer.exe%')
suspicious_processes = SELECT r.ProcessGuid, r.ProcessFilePath, c.ProcessFilePath AS ProcessParentFilePathFROM reg_processes rINNER JOIN cmd_processes cON r.ProcessParentGuid = c.ProcessGuid
Analytic 3 - Rare LolBAS command lines
number_standard_deviations = 1.5
suspicious_processes = SELECT ProcessFilePath, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations as LowerBound FROM count_lolbas_processesWHERE ProcessCount < LowerBound
|DS0024||Windows Registry||Windows Registry Key Access||
Monitor for unexpected process interactions with the Windows Registry (i.e. reads) that may be related to gathering information.
Note: For Security Auditing event ids 4656 and 4663, a System Access Control List (SACL) that controls the use of specific access rights such as Enumerate sub-keys and Query key value is required for event generation. Depending on the Registry key you are monitoring, the implementation of a new System Access Control List (SACL) might be required. Depending of Registry key used for the creation of a System Access Control List (SACL), the generation of event ids 4656 and 4663 might be noisy.
Analytic 1 - Suspicious Registry