Sample rules
Windows Modify Registry DisableSecuritySettings
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to disable security settings of Terminal Services. altering or disabling security settings within Terminal Services. Terminal Services, now known as Remote Desktop Services (RDS) in more recent Windows versions, allows users to access applications, data, and even an entire desktop remotely. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableSecuritySettings" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disablesecuritysettings_filter`
Windows Modify Registry Disabling WER Settings
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\disable*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disabling_wer_settings_filter`
Windows Modify Registry DontShowUI
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows Error Reporting registry to DontShowUI. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. When this registry value is present and set to a specific configuration, it can influence the behavior of error reporting dialogs or prompts, suppressing them from being displayed to the user.For instance, setting DontShowUI to a value of 1 often indicates that the Windows Error Reporting UI prompts will be suppressed, meaning users won’t see error reporting pop-ups when errors occur.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_dontshowui_filter`
Windows Modify Registry ProxyEnable
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to enable proxy. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyEnable" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_proxyenable_filter`
Windows Modify Registry ProxyServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to setup proxy server. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyServer" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_proxyserver_filter`
Windows Modify Registry NoChangingWallPaper
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies alterations in the Windows registry aimed at restricting wallpaper modifications. This tactic has been exploited by the Rhysida ransomware as a part of its destructive payload within compromised systems. By making this registry modification, the ransomware seeks to impede users from changing the wallpaper forcibly set by the malware, restricting the user’s control over their system’s visual settings.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper" Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_nochangingwallpaper_filter`
Windows Modify Registry DisableRemoteDesktopAntiAlias
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableRemoteDesktopAntiAlias" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disableremotedesktopantialias_filter`
Windows Modify Registry AuthenticationLevelOverride
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry related to authentication level settings. This registry is the configuration for authentication level settings within the Terminal Server Client settings in Windows. AuthenticationLevelOverride might be used to control or override the authentication level used by the Terminal Server Client for remote connections. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Server Client\\AuthenticationLevelOverride" Registry.registry_value_data = 0x00000000 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_authenticationleveloverride_filter`
Windows Modify Registry Do Not Connect To Win Update
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. This policy applies only when this PC is configured to connect to an intranet update service using the “Specify intranet Microsoft update service location” policy.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_do_not_connect_to_win_update_filter`
Windows Modify Registry UpdateServiceUrlAlternate
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_updateserviceurlalternate_filter`
Windows Remote Services Allow Remote Assistance
- source: splunk
- technicques:
- T1021.001
- T1021
Description
The following analytic is to identify a modification in the Windows registry to enable remote desktop assistance on a targeted machine. This technique was seen in several adversaries, malware or red teamer like azorult to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This Anomaly behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. And as per stated in microsoft documentation the default value of this registry is false that makes this a good indicator of suspicious behavior.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_services_allow_remote_assistance_filter`
Windows Modify Registry Auto Minor Updates
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will “Treat minor updates like other updates”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_auto_minor_updates_filter`
Windows Remote Services Rdp Enable
- source: splunk
- technicques:
- T1021.001
- T1021
Description
The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_services_rdp_enable_filter`
Windows Remote Services Allow Rdp In Firewall
- source: splunk
- technicques:
- T1021.001
- T1021
Description
The following analytic is to identify a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by allowing this protocol in firewall. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through firewall which is also common traits of attack to start lateral movement.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "netsh.exe" OR Processes.original_file_name= "netsh.exe") AND Processes.process = "*firewall*" AND Processes.process = "*add*" AND Processes.process = "*protocol=TCP*" AND Processes.process = "*localport=3389*" AND Processes.process = "*action=allow*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_services_allow_rdp_in_firewall_filter`
Windows Modify Registry MaxConnectionPerServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows max connection per server configuration. This particular technique has been observed in various threat actors, adversaries, and even in malware such as the Warzone (Ave Maria) RAT. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server. This modification could be exploited for various malicious purposes, including facilitating distributed denial-of-service (DDoS) attacks or enabling more effective lateral movement within a compromised network.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server*") Registry.registry_value_data = "0x0000000a" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_maxconnectionperserver_filter`
Windows Modify Registry USeWuServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will use “The WUServer value unless this key is set”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_usewuserver_filter`
Windows Modify Registry WuServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_wuserver_filter`
Windows Modify Registry EnableLinkedConnections
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows linked connection configuration. This technique was being abused by several adversaries, malware like BlackByte ransomware to enable the linked connections feature, that allows network shares to be accessed using both standard and administrator-level privileges simultaneously. By default, Windows does not enable this feature to enhance security.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_enablelinkedconnections_filter`
Windows Modify Registry Suppress Win Defender Notif
- source: splunk
- technicques:
- T1112
Description
The following analytic is to identify a modification in the Windows registry to suppress windows defender notification. This technique was abuse by adversaries and threat actor to bypassed windows defender on the targeted host. Azorult malware is one of the malware use this technique that also disable toast notification and other windows features as part of its malicious behavior.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\UX Configuration\\Notification_Suppress*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_suppress_win_defender_notif_filter`
Windows Modify Registry No Auto Update
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will “Disable Automatic Updates”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_no_auto_update_filter`
Windows Modify Registry wuStatusServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_wustatusserver_filter`
Windows Modify Registry Tamper Protection
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we’ve seen that uses this technique to bypass Windows defender detection.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_tamper_protection_filter`
Windows Modify Registry No Auto Reboot With Logon User
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow “Logged-on user gets to choose whether or not to restart his or her compute”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_no_auto_reboot_with_logon_user_filter`
Windows Modify Registry LongPathsEnabled
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows long path enable configuration. This technique was being abused by several adversaries, malware like BlackByte to enable long file path support in the operating system. By default, Windows has a limitation on the maximum length of a file path, which is set to 260 characters. Enabling the LongPathsEnabled setting allows you to work with file paths longer than 260 characters.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_longpathsenabled_filter`
Windows Modify Registry Disable Toast Notifications
- source: splunk
- technicques:
- T1112
Description
The following analytic is to identify a modification in the Windows registry to disable toast notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disable_toast_notifications_filter`
Windows Modify Registry Disable WinDefender Notifications
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we’ve seen that uses this technique to bypass Windows defender detection.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_disable_windefender_notifications_filter`
Windows Remote Access Software RMS Registry
- source: splunk
- technicques:
- T1219
Description
The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\Remote Manipulator System*" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_access_software_rms_registry_filter`
Windows Modify Registry Auto Update Notif
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update notification. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will switch the automatic windows update to “Notify before download”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions" AND Registry.registry_value_data="0x00000002" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_auto_update_notif_filter`
Windows Modify Registry Disable Windows Security Center Notif
- source: splunk
- technicques:
- T1112
Description
The following analytic is to identify a modification in the Windows registry to disable windows center notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disable_windows_security_center_notif_filter`
Sample rules
Windows Modify Registry DisableSecuritySettings
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to disable security settings of Terminal Services. altering or disabling security settings within Terminal Services. Terminal Services, now known as Remote Desktop Services (RDS) in more recent Windows versions, allows users to access applications, data, and even an entire desktop remotely. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableSecuritySettings" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disablesecuritysettings_filter`
Windows Modify Registry Disabling WER Settings
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\disable*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disabling_wer_settings_filter`
Windows Modify Registry DontShowUI
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows Error Reporting registry to DontShowUI. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. When this registry value is present and set to a specific configuration, it can influence the behavior of error reporting dialogs or prompts, suppressing them from being displayed to the user.For instance, setting DontShowUI to a value of 1 often indicates that the Windows Error Reporting UI prompts will be suppressed, meaning users won’t see error reporting pop-ups when errors occur.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_dontshowui_filter`
Windows Modify Registry ProxyEnable
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to enable proxy. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyEnable" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_proxyenable_filter`
Windows Modify Registry ProxyServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to setup proxy server. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyServer" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_proxyserver_filter`
Windows Modify Registry NoChangingWallPaper
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies alterations in the Windows registry aimed at restricting wallpaper modifications. This tactic has been exploited by the Rhysida ransomware as a part of its destructive payload within compromised systems. By making this registry modification, the ransomware seeks to impede users from changing the wallpaper forcibly set by the malware, restricting the user’s control over their system’s visual settings.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper" Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_nochangingwallpaper_filter`
Windows Modify Registry DisableRemoteDesktopAntiAlias
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableRemoteDesktopAntiAlias" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disableremotedesktopantialias_filter`
Windows Modify Registry AuthenticationLevelOverride
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry related to authentication level settings. This registry is the configuration for authentication level settings within the Terminal Server Client settings in Windows. AuthenticationLevelOverride might be used to control or override the authentication level used by the Terminal Server Client for remote connections. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Server Client\\AuthenticationLevelOverride" Registry.registry_value_data = 0x00000000 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_authenticationleveloverride_filter`
Windows Modify Registry Do Not Connect To Win Update
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. This policy applies only when this PC is configured to connect to an intranet update service using the “Specify intranet Microsoft update service location” policy.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_do_not_connect_to_win_update_filter`
Windows Modify Registry UpdateServiceUrlAlternate
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_updateserviceurlalternate_filter`
Windows Remote Services Allow Remote Assistance
- source: splunk
- technicques:
- T1021.001
- T1021
Description
The following analytic is to identify a modification in the Windows registry to enable remote desktop assistance on a targeted machine. This technique was seen in several adversaries, malware or red teamer like azorult to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This Anomaly behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. And as per stated in microsoft documentation the default value of this registry is false that makes this a good indicator of suspicious behavior.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_services_allow_remote_assistance_filter`
Windows Modify Registry Auto Minor Updates
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will “Treat minor updates like other updates”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_auto_minor_updates_filter`
Windows Remote Services Rdp Enable
- source: splunk
- technicques:
- T1021.001
- T1021
Description
The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_services_rdp_enable_filter`
Windows Remote Services Allow Rdp In Firewall
- source: splunk
- technicques:
- T1021.001
- T1021
Description
The following analytic is to identify a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by allowing this protocol in firewall. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through firewall which is also common traits of attack to start lateral movement.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "netsh.exe" OR Processes.original_file_name= "netsh.exe") AND Processes.process = "*firewall*" AND Processes.process = "*add*" AND Processes.process = "*protocol=TCP*" AND Processes.process = "*localport=3389*" AND Processes.process = "*action=allow*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_services_allow_rdp_in_firewall_filter`
Windows Modify Registry MaxConnectionPerServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows max connection per server configuration. This particular technique has been observed in various threat actors, adversaries, and even in malware such as the Warzone (Ave Maria) RAT. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server. This modification could be exploited for various malicious purposes, including facilitating distributed denial-of-service (DDoS) attacks or enabling more effective lateral movement within a compromised network.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server*") Registry.registry_value_data = "0x0000000a" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_maxconnectionperserver_filter`
Windows Modify Registry USeWuServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will use “The WUServer value unless this key is set”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_usewuserver_filter`
Windows Modify Registry WuServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_wuserver_filter`
Windows Modify Registry EnableLinkedConnections
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows linked connection configuration. This technique was being abused by several adversaries, malware like BlackByte ransomware to enable the linked connections feature, that allows network shares to be accessed using both standard and administrator-level privileges simultaneously. By default, Windows does not enable this feature to enhance security.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_enablelinkedconnections_filter`
Windows Modify Registry Suppress Win Defender Notif
- source: splunk
- technicques:
- T1112
Description
The following analytic is to identify a modification in the Windows registry to suppress windows defender notification. This technique was abuse by adversaries and threat actor to bypassed windows defender on the targeted host. Azorult malware is one of the malware use this technique that also disable toast notification and other windows features as part of its malicious behavior.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\UX Configuration\\Notification_Suppress*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_suppress_win_defender_notif_filter`
Windows Modify Registry No Auto Update
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will “Disable Automatic Updates”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_no_auto_update_filter`
Windows Modify Registry wuStatusServer
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_wustatusserver_filter`
Windows Modify Registry Tamper Protection
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we’ve seen that uses this technique to bypass Windows defender detection.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_tamper_protection_filter`
Windows Modify Registry No Auto Reboot With Logon User
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow “Logged-on user gets to choose whether or not to restart his or her compute”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_no_auto_reboot_with_logon_user_filter`
Windows Modify Registry LongPathsEnabled
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows long path enable configuration. This technique was being abused by several adversaries, malware like BlackByte to enable long file path support in the operating system. By default, Windows has a limitation on the maximum length of a file path, which is set to 260 characters. Enabling the LongPathsEnabled setting allows you to work with file paths longer than 260 characters.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_longpathsenabled_filter`
Windows Modify Registry Disable Toast Notifications
- source: splunk
- technicques:
- T1112
Description
The following analytic is to identify a modification in the Windows registry to disable toast notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disable_toast_notifications_filter`
Windows Modify Registry Disable WinDefender Notifications
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we’ve seen that uses this technique to bypass Windows defender detection.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_disable_windefender_notifications_filter`
Windows Remote Access Software RMS Registry
- source: splunk
- technicques:
- T1219
Description
The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\Remote Manipulator System*" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_access_software_rms_registry_filter`
Windows Modify Registry Auto Update Notif
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a suspicious registry modification of Windows auto update notification. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we’ve seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will switch the automatic windows update to “Notify before download”.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions" AND Registry.registry_value_data="0x00000002" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_auto_update_notif_filter`
Windows Modify Registry Disable Windows Security Center Notif
- source: splunk
- technicques:
- T1112
Description
The following analytic is to identify a modification in the Windows registry to disable windows center notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disable_windows_security_center_notif_filter`
Windows Modify Registry DisAllow Windows App
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies modification in the Windows registry to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security products. This technique was recently identified in Azorult malware where it uses this registry value to prevent several AV products to execute on the compromised host machine.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disallow_windows_app_filter`
Windows Modify Registry Disable Win Defender Raw Write Notif
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies a modification in the Windows registry to disable Windows Defender raw write notification feature. This policy controls whether raw volume write notifications are sent to behavior monitoring or not. This registry was recently identified in Azorult malware to bypass Windows Defender detections or behavior monitoring in terms of volume write.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Real-Time Protection\\DisableRawWriteNotification*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disable_win_defender_raw_write_notif_filter`