detection.wiki

Detection rules › Splunk

Windows Modify Registry Qakbot Binary Data Registry

Author
Teoderick Contreras, Bhavin Patel, Splunk
Source
upstream

The following analytic detects the creation of a suspicious registry entry by Qakbot malware, characterized by 8 random registry value names with encrypted binary data. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the "SOFTWARE\Microsoft\" path by processes like explorer.exe. This activity is significant as it indicates potential Qakbot infection, which uses the registry to store malicious code or configuration data. If confirmed malicious, this could allow attackers to maintain persistence and execute arbitrary code on the compromised system.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1112 Modify Registry
Defense EvasionT1112 Modify Registry

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: tstats

tstats dc(registry_value_name) AS registry_value_name_count WHERE Registry.registry_path="*\\SOFTWARE\\Microsoft\\*" Registry.registry_value_data="Binary Data" BY _time, Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product

Stage 2: search

search

Stage 3: eval

eval ... using (registry_key_name)

Stage 4: eval

eval ... using (registry_value_name)

Stage 5: regex

regex match(registry_value_name, "^[0-9a-fA-F]{8}")

Stage 6: where

where registry_key_name_len<80

Stage 7: join

join type=inner (...)

Stage 8: stats

stats BY dest, process_guid, process_name, parent_process_name

Stage 9: search

search

Stage 10: search

search

Stage 11: where

where registry_value_name_count>=5

Stage 12: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Processes.process_namein
  • "OneDriveSetup.exe"
  • "dxdiag.exe"
  • "explorer.exe"
  • "mobsync.exe"
  • "msra.exe"
  • "wermgr.exe"
  • "xwizard.exe"
Registry.registry_patheq
  • "*\\SOFTWARE\\Microsoft\\*"
Registry.registry_value_dataeq
  • "Binary Data" corpus 3 (splunk 3)
registry_key_name_lenlt
  • 80
registry_value_nameregex_match
  • "^[0-9a-fA-F]{8}"
registry_value_name_countge
  • 5