Startup or Run Key Registry Modification

edit

Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 9 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
registry where registry.data.strings != null and registry.path : (
/* Machine Hive */
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explore
r\\Run\\*", "HKLM\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell\\*", /* Users Hive */
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersio
n\\RunOnceEx\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C
urrentVersion\\Policies\\Explorer\\Run\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell\\*" ) and /* add common
legitimate changes without being too restrictive as this is one of the
most abused AESPs */ not registry.data.strings : "ctfmon.exe /n" and
not (registry.value : "Application Restart #*" and process.name :
"csrss.exe") and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20")
and not registry.data.strings : ("?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe") and not process.executable :
("?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\SysWOW64\\msiexec.exe") and not (process.name :
"OneDriveSetup.exe" and registry.value : ("Delete Cached
Standalone Update Binary", "Delete Cached Update Binary", "amd64",
"Uninstall *") and registry.data.strings :
"?:\\Windows\\system32\\cmd.exe /q /c *
\"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\*\"")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 9 (8.4.0 release)
  • Formatting only
Version 8 (8.3.0 release)
  • Formatting only
Version 6 (8.2.0 release)
  • Formatting only
Version 5 (8.1.0 release)
  • Formatting only
Version 4 (7.13.0 release)
  • Updated query, changed from:

    /* uncomment length once stable */ registry where /*
    length(registry.data.strings) > 0 and */ registry.path : ( /*
    Machine Hive */
    "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
    "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
    "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
    "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User
    Shell Folders\\*",
    "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
    Folders\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion
    \\Policies\\Explorer\\Run\\*",
    "HKLM\\Software\\Microsoft\\Windows
    NT\\CurrentVersion\\Winlogon\\Shell\\*", /* Users Hive */
    "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
    "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
    \*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersio
    n\\RunOnceEx\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\
    CurrentVersion\\Explorer\\User Shell Folders\\*", "HKEY_USERS\\*
    \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
    Folders\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\Curre
    ntVersion\\Policies\\Explorer\\Run\\*",
    "HKEY_USERS\\*\\Software\\Microsoft\\Windows
    NT\\CurrentVersion\\Winlogon\\Shell\\*" ) and /* add here
    common legit changes without making too restrictive as this is one of
    the most abused AESPs */ not registry.data.strings : "ctfmon.exe /n"
    and not (registry.value : "Application Restart #*" and process.name
    : "csrss.exe") and user.domain != "NT AUTHORITY" and not
    registry.data.strings : ("C:\\Program Files\\*.exe", "C:\\Program
    Files (x86)\\*.exe") and not process.executable :
    ("C:\\Windows\\System32\\msiexec.exe",
    "C:\\Windows\\SysWOW64\\msiexec.exe")
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only