Detection rules › Splunk
Windows Registry Payload Injection
The following analytic detects suspiciously long data written to the Windows registry, a behavior often linked to fileless malware or persistence techniques. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry events with data lengths exceeding 512 characters. This activity is significant as it can indicate an attempt to evade traditional file-based defenses, making it crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers to maintain persistence, execute code, or manipulate system configurations without leaving a conventional file footprint.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1027.011 Obfuscated Files or Information: Fileless Storage |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE Registry.registry_value_data="*" BY _time, Registry.dest, Registry.registry_path, Registry.registry_value_name, Registry.process_guid, Registry.registry_value_data, Registry.registry_key_name, Registry.registry_hive, Registry.status, Registry.action, Registry.process_id, Registry.user, Registry.vendor_product
Stage 2: search
search
Stage 3: eval
eval ... using (registry_value_data)
Stage 4: where
where reg_data_len>512
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.registry_value_data | eq |
|
reg_data_len | gt |
|