Register to stream ATT&CKcon 2.0 October 29-30

Query Registry

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security. [1] Some of the information may help adversaries to further their operation within a network.

ID: T1012
Tactic: Discovery
Platform: Windows
Permissions Required: User, Administrator, SYSTEM
Data Sources: Windows Registry, Process monitoring, Process command-line parameters
Version: 1.0

Procedure Examples

Name Description
ADVSTORESHELL ADVSTORESHELL can enumerate registry keys. [16] [17]
APT32 APT32's backdoor can query the Windows Registry to gather system information. [55]
Azorult Azorult can check for installed software on the system under the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall. [25]
BACKSPACE BACKSPACE is capable of enumerating and making modifications to an infected system's Registry. [18]
Bankshot Bankshot searches for certain Registry keys to be configured before executing the payload. [38]
Brave Prince Brave Prince gathers information about the Registry. [5]
Carbanak Carbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information. [32]
Carbon Carbon enumerates values in the Registry. [39]
Cardinal RAT Cardinal RAT contains watchdog functionality that periodically ensures HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load is set to point to its executable. [26]
CHOPSTICK CHOPSTICK provides access to the Windows Registry, which can be used to gather information. [23]
Denis Denis queries the Registry for keys and values. [41]
Derusbi Derusbi is capable of enumerating Registry keys and values. [28]
DownPaper DownPaper searches and reads the value of the Windows Update Registry Run key. [21]
Dragonfly 2.0 Dragonfly 2.0 queried the Registry to identify victim information. [48]
Epic Epic uses the rem reg query command to obtain values from Registry keys. [20]
FELIXROOT FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry. [11] [12]
FinFisher FinFisher queries Registry values as part of its anti-sandbox checks. [33] [34]
Gold Dragon Gold Dragon enumerates registry keys with the command regkeyenum and obtains information for the Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. [5]
HOPLIGHT A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name. [42]
Hydraq Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys. [8] [9]
InvisiMole InvisiMole can enumerate Registry values, keys, and data. [10]
JPIN JPIN can enumerate Registry keys. [35]
Lazarus Group Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt. [50] [51] [52]
OilRig OilRig has used reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” on a victim to query the Registry. [49]
OSInfo OSInfo queries the registry to look for information about Terminal Services. [37]
PlugX PlugX can enumerate and query for information contained within the Windows Registry. [29] [30]
POWERSOURCE POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence. [31]
PowerSploit PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities. [3] [4]
POWRUNER POWRUNER may query the Registry by running reg query on a victim. [13]
Proxysvc Proxysvc gathers product names from the Registry key: HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName and the processor description from the Registry key HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString. [24]
QUADAGENT QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created. [36]
RATANKBA RATANKBA uses the command reg query “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings”. [22]
Reaver Reaver queries the Registry to determine the correct Startup path to use for persistence. [6]
Reg Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface. [2]
ROKRAT ROKRAT accesses the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type. [15]
Shamoon Shamoon queries several Registry keys to identify hard disk partitions to overwrite. [27]
Stealth Falcon Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry. [54]
StoneDrill StoneDrill has looked in the registry to find the default browser path. [43]
SynAck SynAck enumerates Registry keys associated with event logs. [19]
Threat Group-3390 A Threat Group-3390 tool can read and decrypt stored Registry values. [53]
Turla Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command. Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes . [20] [47]
Ursnif Ursnif has used Reg to query the Registry for installed programs. [44] [45]
Volgmer Volgmer checks the system for certain Registry keys. [7]
WINDSHIELD WINDSHIELD can gather Registry values. [14]
Zebrocy Zebrocy executes the reg query command to obtain information in the Registry. [46]
Zeus Panda Zeus Panda checks for the existence of a Registry key and if it contains certain values. [40]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Interaction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.
  2. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  3. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  4. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  5. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  6. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  7. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  8. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  9. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  10. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  11. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  12. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  13. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  14. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  15. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  16. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  17. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  18. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  19. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  20. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  21. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  22. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  23. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  24. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  25. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  26. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  27. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  28. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  1. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  2. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  3. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  4. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  5. FinFisher. (n.d.). Retrieved December 20, 2017.
  6. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  7. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  8. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  9. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  10. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  11. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  12. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  13. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  14. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  15. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  16. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  17. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  18. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  19. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  20. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  21. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  22. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  23. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  24. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  25. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  26. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  27. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.