|Permissions Required||User, Administrator, SYSTEM|
|Data Sources||Windows Registry, Process monitoring, Process command-line parameters|
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.1 Some of the information may help adversaries to further their operation within a network.
- Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop.2 Another Lazarus Group malware sample checks for the presence of the following Registry key:
- OilRig has used
reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default”on a victim to query the Registry.4
- Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.5
- Turla surveys a system upon check-in to discover information in the Windows Registry with the
- ADVSTORESHELL can enumerate registry keys.78
- BACKSPACE is capable of enumerating and making modifications to an infected system's Registry.9
- CHOPSTICK provides access to the Windows Registry, which can be used to gather information.10
- Derusbi is capable of enumerating Registry keys and values.11
- DownPaper searches and reads the value of the Windows Update Registry Run key.12
- Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.1314
- JPIN can enumerate Registry keys.15
- OSInfo queries the registry to look for information about Terminal Services 16.
- POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.17
- POWRUNER may query the Registry by running
reg queryon a victim.18
- PlugX can query for information contained within the Windows Registry.19
- PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential Privilege Escalation opportunities.2021
- Reaver queries the Registry to determine the correct Startup path to use for persistence.22
- Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.23
- Shamoon queries several Registry keys to identify hard disk partitions to overwrite.24
- WINDSHIELD can gather Registry values.25
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting26 tools, like AppLocker,2728 or Software Restriction Policies29 where appropriate.30
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Interaction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
- Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
- Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.