there are legitimate reasons for changing this registry key/value. investigate the change and its source and apply appropriate filters as needed.

Techniques

T1112

Sample rules

Windows Routing and Remote Access Service Registry Key Change

source: splunk
technicques:
- T1112

Description

This analytic identifies the modification of the Windows RemoteAccess Registry Entry. This technique can be used by malware, adversaries, threat actors and red teamers to gain persistence on a system by tampering with the key to add a custom DLL to be loaded. This technique was also observed to be used by Gh0st RAT malware. Upon seeing this behavior, it is recommended to review the system services events especially the remote access services.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Endpoint.Registry WHERE

Registry.registry_path="*\\Services\\RemoteAccess\\RouterManagers\\Ip*"
Registry.action=modified

by Registry.action Registry.dest Registry.process_guid
   Registry.process_id Registry.registry_hive
   Registry.registry_path Registry.registry_key_name
   Registry.registry_value_data Registry.registry_value_name
   Registry.registry_value_type Registry.status
   Registry.user Registry.vendor_product


| `drop_dm_object_name(Registry)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_routing_and_remote_access_service_registry_key_change_filter`