Detection rules › Splunk
PowerShell Modifying Registry Values (Windows Event Log)
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. This use case detects PowerShell commands accessing or modifying the Current User or Local Machine registry hives
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Persistence | T1112 Modify Registry |
| Defense Impairment | T1112 Modify Registry |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '15967.23906'
title: PowerShell Modifying Registry Values
description: 'Adversaries may interact with the Windows Registry to hide configuration
information within Registry keys, remove information as part of cleaning up, or
as part of other techniques to aid in persistence and execution. This use case detects
PowerShell commands accessing or modifying the Current User or Local Machine registry
hives. -- Threat Actor Association: CL-STA-0043 -- Atomics T1059.001 Test #11 Atomics
T1546.008 Test #1'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) (TERM(Invoke-Expression) OR "IEX") ("HKLM" OR
"HKEY_LOCAL_MACHINE" OR "HKCU" OR "HKEY_CURRENT_USER") | table _time, host, user
process, process_*, signature_id | bin span=1s | stats values(*) as * by _time,
host '
techniques:
- defense-evasion:modify registry
- execution:command and scripting interpreter:powershell
technique_id:
- T1112
- T1059.001
data_category:
- Windows event logs
- Process command-line parameters
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-11---powershell-fileless-script-execution
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) (TERM(Invoke-Expression) OR "IEX") ("HKLM" OR "HKEY_LOCAL_MACHINE" OR "HKCU" OR "HKEY_CURRENT_USER")
Stage 2: table
| table _time, host, user process, process_*, signature_id
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | "Invoke-Expression" |
| 1 | "IEX" |
| 1 | "HKLM" |
| 1 | "HKEY_LOCAL_MACHINE" |
| 1 | "HKCU" |
| 1 | "HKEY_CURRENT_USER" |