IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Unauthorized Access to an Okta Application Unexpected Child Process of macOS Screensaver Engine »
Elastic Docs Elastic Security [8.1] Detections and alerts Prebuilt rule reference

Uncommon Registry Persistence Change

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Uncommon Registry Persistence Change

edit

Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary’s attempt to persist in a stealthy manner.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 5 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.1.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
registry where /* uncomment once stable
length(registry.data.strings) > 0 and */ registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Serve
r\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Serve
r\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Load",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\Run",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Windows\\IconServiceLib",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\AppSetup",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Taskman",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Userinit",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\VmApplet", "HKLM\\SOFTWARE\\Micros
oft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", "HKLM
\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shel
l", "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scrip
ts\\Logoff\\Script", "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windo
ws\\System\\Scripts\\Logon\\Script", "HKLM\\SOFTWARE\\Policies\\
Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", "HKLM\\S
OFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Scrip
t", "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion
\\Policies\\Explorer\\Run\\*", "HKEY_USERS\\*\\SOFTWARE\\Microso
ft\\Windows\\CurrentVersion\\Policies\\System\\Shell", "HKEY_USE
RS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff
\\Script", "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Window
s\\System\\Scripts\\Logon\\Script", "HKEY_USERS\\*\\SOFTWARE\\Po
licies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Script
s\\Startup\\Script", "HKLM\\SOFTWARE\\Microsoft\\Active
Setup\\Installed Components\\*\\ShellComponent",
"HKLM\\SOFTWARE\\Microsoft\\Windows CE
Services\\AutoStartOnConnect\\MicrosoftActiveSync",
"HKLM\\SOFTWARE\\Microsoft\\Windows CE
Services\\AutoStartOnDisconnect\\MicrosoftActiveSync",
"HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
"HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
"HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Exec",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File
Execution Options\\*\\VerifierDlls",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName",
"HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal
Server\\Wds\\rdpwd\\StartupPrograms",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal
Server\\WinStations\\RDP-Tcp\\InitialProgram",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
"HKLM\\SYSTEM\\ControlSet*\\Control\\Session
Manager\\S0InitialCommand",
"HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",
"HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePat
h", "HKLM\\SYSTEM\\Setup\\CmdLine",
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and not
registry.data.strings : ("C:\\Windows\\system32\\userinit.exe",
"cmd.exe", "C:\\Program Files (x86)\\*.exe",
"C:\\Program Files\\*.exe") and not (process.name : "rundll32.exe"
and registry.path : "*\\Software\\Microsoft\\Internet
Explorer\\Extensions\\*\\Script") and not process.executable :
("C:\\Windows\\System32\\msiexec.exe",
"C:\\Windows\\SysWOW64\\msiexec.exe",
"C:\\ProgramData\\Microsoft\\Windows
Defender\\Platform\\*\\MsMpEng.exe",
"C:\\Program Files\\*.exe", "C:\\Program
Files (x86)\\*.exe")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 5 (8.1.0 release)
  • Formatting only
Version 4 (7.16.0 release)
  • Formatting only
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only
« Unauthorized Access to an Okta Application Unexpected Child Process of macOS Screensaver Engine »