Techniques
Sample rules
Windows Deleted Registry By A Non Critical Process File Path
- source: splunk
- technicques:
- T1112
Description
The following analytic detects the deletion of registry keys by non-critical processes. It leverages Endpoint Detection and Response (EDR) data, focusing on registry deletion events and correlating them with processes not typically associated with system or program files. This activity is significant as it may indicate malware, such as the Double Zero wiper, attempting to evade defenses or cause destructive payload impacts. If confirmed malicious, this behavior could lead to significant system damage, loss of critical configurations, and potential disruption of services.
Detection logic
| tstats prestats=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path IN ("*\\windows\\*", "*\\program files*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| tstats prestats=t append=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.action=deleted by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
| `drop_dm_object_name(Registry)`
| table action dest original_file_name parent_process parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process process_exec process_guid process_hash process_id process_integrity_level process_name process_path user user_id vendor_product registry_hive registry_path registry_key_name registry_value_data registry_value_name registry_value_type status
| stats values(action) as action values(dest) as dest values(original_file_name) as original_file_name values(parent_process) as parent_process values(parent_process_exec) as parent_process_exec values(parent_process_guid) as parent_process_guid values(parent_process_id) as parent_process_id values(parent_process_name) as parent_process_name values(parent_process_path) as parent_process_path values(process) as process values(process_exec) as process_exec values(process_hash) as process_hash values(process_id) as process_id values(process_integrity_level) as process_integrity_level values(process_name) as process_name values(process_path) as process_path values(user) as user values(user_id) as user_id values(vendor_product) as vendor_product values(registry_hive) as registry_hive values(registry_path) as registry_path values(registry_key_name) as registry_key_name values(registry_value_data) as registry_value_data values(registry_value_name) as registry_value_name values(registry_value_type) as registry_value_type values(status) as status by process_guid
| where isnotnull(process_path) AND isnotnull(registry_value_name)
| `windows_deleted_registry_by_a_non_critical_process_file_path_filter`