Detect Remote Access Software Usage Registry

Author: Steven Dick
Source: upstream

The following analytic detects when a known remote access software is added to common persistence locations on a device within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1219` Remote Access Tools

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `tstats`

tstats WHERE ((Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services\\*" Registry.registry_value_name="ImagePath") OR Registry.registry_path="*\\Microsoft\\Windows\\CurrentVersion\\Run*") BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product

Stage 2: `search`

search

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `rex`

rex field=registry_value_data ...

Stage 6: `rex`

rex field=registry_value_data ...

Stage 7: `eval`

eval ... using (file_name_1, file_name_2)

Stage 8: `lookup`

lookup <lookup> category, comment_reference, desc, description, file_name, isutility, remote_utility, signature

Stage 9: `search`

search isutility=TRUE

Stage 10: `search`

search `macro`

Stage 11: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Registry.registry_path`	eq	`"\\Microsoft\\Windows\\CurrentVersion\\Run"` `"\\SYSTEM\\CurrentControlSet\\Services\\"`
`Registry.registry_value_name`	eq	`"ImagePath"`
`isutility`	eq	`TRUE` corpus 2 (splunk 2)

Detect Remote Access Software Usage Registry

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: search

Stage 4: search

Stage 5: rex

Stage 6: rex

Stage 7: eval

Stage 8: lookup

Stage 9: search

Stage 10: search

Stage 11: search