|Permissions Required||User, Administrator, SYSTEM|
|Data Sources||Windows Registry, File monitoring, Process monitoring, Process command-line parameters|
|Defense Bypassed||Host forensic analysis|
|Contributors||Bartosz Jerzman, Travis Smith, Tripwire|
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification.1 Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).
The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system.2 Often Valid Accounts are required, along with access to the remote system's Windows Admin Shares for RPC communication.
- FIN8 has deleted Registry keys during post compromise cleanup activities.3
- ADVSTORESHELL is capable of setting and deleting Registry values.4
- BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.5
- CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.6
- creates a Registry subkey that registers a new system device.7
- Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.89
- Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk.10
- creates a Registry subkey that registers a new service.11
- PHOREAL is capable of manipulating the Registry.12
- RTM can delete all Registry entries created during its execution.13
- Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.1
- Regin appears to have functionality to modify remote Registry information.14
- Rover has functionality to remove Registry Run key persistence as a cleanup procedure.15
- SOUNDBITE is capable of modifying the Registry.12
- Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting
- StreamEx has the ability to modify the Registry.18
Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through Service Registry Permissions Weakness. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting19 tools like AppLocker2021 or Software Restriction Policies22 where appropriate.23
Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.
Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
- Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
- Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
- Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.