Description
This detection identifies suspicious modifications to Windows registry keys that are commonly used by attackers to establish persistence. The registry is a critical component of Windows systems that stores configuration data, and certain keys are frequently targeted to ensure malware runs automatically after system reboots. This detection focuses on modifications to autorun locations, shell extensions, and other registry areas that can be abused for persistence.
Detection Details
- Tool
- QRadar
- Category
- SIEM
- Severity
- Medium
- Status
- Active
Metadata
- ID
- QRADAR-001
- Author
- Khalid Al Harthi
- Last Updated
- 2023-11-08
MITRE ATT&CK Techniques
False Positives
- Software installation and updates
- Legitimate system configuration changes
- Group Policy updates
Tool-Specific Rule Format
{
"name": "Suspicious Registry Modifications",
"description": "Detects suspicious modifications to registry keys that are commonly used for persistence.",
"severity": 5,
"enabled": true,
"type": "EVENT",
"query": "SELECT UTF8(payload) from events where LOGSOURCETYPENAME(logsourceid) = 'Microsoft Windows Security Event Log' AND eventid = '4657' AND (LOWER(UTF8(payload)) LIKE '%\\run%' OR LOWER(UTF8(payload)) LIKE '%\\runonce%' OR LOWER(UTF8(payload)) LIKE '%\\image file execution options%')",
"timespan": 300,
"threshold": {
"field": null,
"type": "COUNT",
"value": 1
}
}Query
SELECT UTF8(payload) from events where LOGSOURCETYPENAME(logsourceid) = 'Microsoft Windows Security Event Log' AND eventid = '4657' AND (LOWER(UTF8(payload)) LIKE '%\\run%' OR LOWER(UTF8(payload)) LIKE '%\\runonce%' OR LOWER(UTF8(payload)) LIKE '%\\image file execution options%')Implementation Notes
This detection is implemented as a custom rule in QRadar. The rule uses AQL (Ariel Query Language) to search for specific patterns in your log data. You may need to customize the query based on your log sources and environment specifics. Consider adjusting the timespan and threshold values based on your environment's activity patterns.
Alert Details
View Detection RuleWhy This Alert Fired
This alert was triggered by a QRadar detection rule that identified detects suspicious modifications to registry keys that are commonly used for persistence.
Investigation Steps
- Review the full event details in the SIEM platform
- Search for the full event using the query below:
SELECT UTF8(payload) from events where LOGSOURCETYPENAME(logsourceid) = 'Microsoft Windows Security Event Log' AND eventid = '4657' AND (LOWER(UTF8(payload)) LIKE '%\\run%' OR LOWER(UTF8(payload)) LIKE '%\\runonce%' OR LOWER(UTF8(payload)) LIKE '%\\image file execution options%')
- Examine the context of the event, including user, host, and network information
- Look for unusual patterns or deviations from normal behavior
- Check if the activity is consistent with the user's role and typical activities
- Check for related events before and after the detection time
- Verify if the activity is expected for the user/system in question
- Correlate with other security events from the same source or target
True Positive Indicators
- Activity matches known malicious patterns
- Unusual execution context or parameters
- Activity from unexpected users or systems
- Correlation with other suspicious events
False Positive Indicators
- Software installation and updates
- Legitimate system configuration changes
- Group Policy updates
Recommended Response Actions
This detection requires investigation to determine if action is needed.
- Investigate the activity thoroughly before taking action
- If confirmed malicious, isolate affected systems
- Reset credentials if account compromise is suspected
- Monitor for additional related activity
- Document findings for future reference
Documentation & Evidence Collection
- Document all investigation steps and findings in the case management system
- Capture screenshots of relevant events and timelines
- Export raw logs and preserve them as evidence
- Document any systems accessed and actions taken during investigation
- Record all remediation actions if a true positive is confirmed