Detection rules › Splunk
Windows Modify Registry USeWuServer
The following analytic detects a suspicious modification to the Windows Update configuration registry key "UseWUServer." It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to "0x00000001." This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" Registry.registry_value_data="0x00000001" BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.registry_path | eq |
|
Registry.registry_value_data | eq |
|