Detection rules › Splunk
Suspicious Registry Key Created (Windows Event Log)
Adversaries may achieve persistence by adding a program or referencing it with a Registry run key or by utilizing content triggered by Image File Execution Options (IFEO) debugger keys. Run keys may exist under multiple hives and IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits. Multiple APTs leverage these Hives in order to establish persistence or execute additional payloads that appear to blend in with normal traffic. -- Threat Group Association: APT29/Nobelium/Cozy Bear, APT31, Kimsuky, TA505, Wizard Spider
MITRE ATT&CK coverage
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4657 | A registry value was modified. |
Rule body yaml
id: '5857.6155'
title: Suspicious Registry Key Created
description: 'Adversaries may achieve persistence by adding a program or referencing
it with a Registry run key or by utilizing content triggered by Image File Execution
Options (IFEO) debugger keys. Run keys may exist under multiple hives and IFEOs
can also enable an arbitrary monitor program to be launched when a specified program
silently exits. Multiple APTs leverage these Hives in order to establish persistence
or execute additional payloads that appear to blend in with normal traffic. -- Threat
Group Association: APT29/Nobelium/Cozy Bear, APT31, Kimsuky, TA505, Wizard Spider
-- Software Association: BABYSHARK, Bazar, DirtyMoe, GhostShell, TrickBot -- Atomics
T1003 Test #2 Atomic T1574.012 Test#1 Atomic T1574.012 Test#2'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4657) OR
"<EventID>4657<") Operation_Type="New registry value created" (TERM(vbs) OR TERM(dll))|
regex New_Value="\.(vbs|dll)" | table _time, host, user parent_*, process, process_*,
signature_id, Object_*, Operation_*, New_* | bin span=60s | stats values(*) as *
by _time, host, process_name | where event_count < 3 | fields - Object_*, Operation_*,
New_* `hec_collect`'
techniques:
- persistence:boot or logon autostart execution:registry run keys / startup folder
- persistence:event triggered execution:image file execution options injection
- privilege-escalation:boot or logon autostart execution:registry run keys / startup
folder
- privilege-escalation:event triggered execution:image file execution options injection
technique_id:
- T1547.001
- T1546.012
data_category:
- File monitoring
- Windows event logs
references:
- https://blog.talosintelligence.com/2021/09/tinyturla.html
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4657) OR "<EventID>4657<") Operation_Type="New registry value created" (TERM(vbs) OR TERM(dll))
Stage 2: regex
| regex New_Value="\.(vbs|dll)"
Stage 3: table
| table _time, host, user parent_*, process, process_*, signature_id, Object_*, Operation_*, New_*
Stage 4: bucket
| bin span=60s
Stage 5: stats
| stats values(*) as * by _time, host, process_name
Stage 6: where
| where event_count < 3
Stage 7: fields
| fields - Object_*, Operation_*, New_* `hec_collect`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
New_Value | regex_match |
|
Operation_Type | eq |
|
event_count | lt |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4657<" |
| 1 | TERM |
| 1 | vbs |
| 1 | TERM |
| 1 | dll |