/
registry_keys_used_for_privilege_escalation.yml
41 lines (41 loc) · 2.02 KB
/
registry_keys_used_for_privilege_escalation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: Registry Keys Used For Privilege Escalation
id: c9f4b923-f8af-4155-b697-1354f5bcbc5e
version: 2
date: '2020-03-02'
description: This search looks for modifications to registry keys that can be used
to elevate privileges. The registry keys under "Image File Execution Options" are
used to intercept calls to an executable and can be used to attach malicious binaries
to benign system binaries.
how_to_implement: To successfully implement this search, you must be ingesting data
that records registry activity from your hosts to populate the endpoint data model
in the registry node. This is typically populated via endpoint detection-and-response
products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data
used for this search is typically generated via logs that report reads and writes
to the registry.
type: ESCU
references:
- https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/
author: David Dorsey, Splunk
search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name)
as registry_key_name values(Registry.registry_path) as registry_path min(_time)
as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows
NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_key_name=GlobalFlag
OR Registry.registry_key_name=Debugger) by Registry.dest Registry.user | `security_content_ctime(lastTime)` |
`security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_privilege_escalation_filter`'
known_false_positives: There are many legitimate applications that must execute upon
system startup and will use these registry keys to accomplish that task.
tags:
analytics_story:
- Windows Privilege Escalation
- Suspicious Windows Registry Activities
mitre_attack_id:
- T1015
kill_chain_phases:
- Actions on Objectives
cis20:
- CIS 8
nist:
- PR.PT
- DE.CM
security_domain: endpoint
asset_type: Endpoint