Detection rules › Splunk
Windows SnappyBee Create Test Registry
The following analytic detects modifications to the Windows registry under SOFTWARE\Microsoft\Test, a location rarely used by legitimate applications in a production environment. Monitoring this key is crucial, as adversaries may create or alter values here for monitoring update of itself file path, updated configuration file, or system mark compromised. The detection leverages Sysmon Event ID 13 (Registry Value Set) to identify unauthorized changes. Analysts should investigate processes associated with these modifications, particularly unsigned executables or suspicious command-line activity, as they may indicate malware or unauthorized software behavior.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE Registry.registry_path="*\\SOFTWARE\\Microsoft\\Test\\*" BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.registry_path | eq |
|