Active Setup Registry Autostart

Try in Splunk Security Cloud

Description

This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2023-04-27
• Author: Steven Dick, Teoderick Contreras, Splunk
• ID: f64579c0-203f-11ec-abcc-acde48001122

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1547.014	Active Setup	Persistence, Privilege Escalation

T1547

Boot or Logon Autostart Execution

Persistence, Privilege Escalation

Kill Chain Phase

• Installation
• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `active_setup_registry_autostart_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly

active_setup_registry_autostart_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Registry.dest
• Registry.registry_value_name
• Registry.registry_key_name
• Registry.registry_path
• Registry.registry_value_data
• Registry.process_guid

How To Implement

To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709

Known False Positives

Active setup installer may add or modify this registry.

Associated Analytic Story

• Data Destruction
• Windows Privilege Escalation
• Hermetic Wiper
• Windows Persistence Techniques

RBA

Risk Score	Impact	Confidence	Message
64.0	80	80	modified/added/deleted registry entry $registry_path$ in $dest$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3AWin32%2FPoisonivy.E
• https://attack.mitre.org/techniques/T1547/014/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 4