detection.wiki

Detection rules › Splunk

Registry Keys Used For Persistence

Author
Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk
Source
upstream

The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: tstats

tstats WHERE ((Registry.registry_key_name="Debugger" Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") OR (Registry.registry_key_name="BootExecute" Registry.registry_path="*\\CurrentControlSet\Control\Session Manager") OR (Registry.registry_key_name="Load" Registry.registry_path="*currentVersion\\Windows") OR (Registry.registry_key_name="Security Packages" Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa") OR (Registry.registry_key_name="Security Packages" Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig") OR (Registry.registry_key_name="Svchost" Registry.registry_path="*\\CurrentVersion") OR (Registry.registry_key_name="auto_update" Registry.registry_path="*\\Software\\Run") OR Registry.registry_path="*\\\\Classes\\\\htmlfile\\\\shell\\\\open\\\\command" OR Registry.registry_path="*\\\\CurrentVersion\\\\Winlogon\\\\Notify*" OR Registry.registry_path="*\\\\CurrentVersion\\\\Winlogon\\\\Shell*" OR Registry.registry_path="*\\\\CurrentVersion\\\\Winlogon\\\\Userinit*" OR Registry.registry_path="*\\\\CurrentVersion\\\\Winlogon\\\\VmApplet*" OR Registry.registry_path="*\\\\SOFTWARE\\\\Microsoft\\\\Netsh\\\\*" OR Registry.registry_path="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler" OR Registry.registry_path="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\StartupApproved\\\\Run" OR Registry.registry_path="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce" OR Registry.registry_path="*\\\\currentVersion\\\\Windows\\\\Appinit_Dlls*" OR Registry.registry_path="*\\\\currentversion\\\\policies\\\\explorer\\\\run*" OR Registry.registry_path="*\\\\currentversion\\\\run*" OR Registry.registry_path="*\\\\currentversion\\\\runservices*" OR Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*" OR Registry.registry_path="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*") BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product

Stage 2: search

search

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Registry.registry_key_nameeq
  • "BootExecute"
  • "Load"
  • "Security Packages"
  • "Svchost"
  • "auto_update"
  • Debugger
Registry.registry_patheq
  • "*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" corpus 2 (splunk 2)
  • "*\\CurrentControlSet\Control\Session Manager"
  • "*\\CurrentControlSet\\Control\\Lsa"
  • "*\\CurrentControlSet\\Control\\Lsa\\OSConfig"
  • "*\\CurrentVersion"
  • "*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*"
  • "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*"
  • "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup"
  • "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*"
  • "*\\Software\\Run"
  • "*currentVersion\\Windows"
  • *\\Classes\\htmlfile\\shell\\open\\command
  • *\\CurrentVersion\\Winlogon\\Notify*
  • *\\CurrentVersion\\Winlogon\\Shell*
  • *\\CurrentVersion\\Winlogon\\Userinit*
  • *\\CurrentVersion\\Winlogon\\VmApplet*
  • *\\SOFTWARE\\Microsoft\\Netsh\\*
  • *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler
  • *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run
  • *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce
  • *\\currentVersion\\Windows\\Appinit_Dlls*
  • *\\currentversion\\policies\\explorer\\run*
  • *\\currentversion\\run*
  • *\\currentversion\\runservices*