/
windows_modify_registry_proxyenable.yml
65 lines (65 loc) · 2.83 KB
/
windows_modify_registry_proxyenable.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
name: Windows Modify Registry ProxyEnable
id: b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5
version: 1
date: '2023-11-23'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
description: The following analytic identifies a modification in the Windows registry to enable proxy.
This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts,
facilitating connections to malicious Command and Control (C2) servers.
Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy
feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially
those aiming to leverage proxy configurations for unauthorized communication with malicious entities.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry
where Registry.registry_path = "*\\Internet Settings\\ProxyEnable" Registry.registry_value_data = 0x00000001
by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_proxyenable_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure
that this registry was included in your config files ex. sysmon config to be monitored.
known_false_positives: Administrators may enable or disable this feature that may
cause some false positive, however is not common. Filter as needed.
references:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
tags:
analytic_story:
- DarkGate Malware
asset_type: Endpoint
confidence: 70
impact: 70
message: the registry settings was modified to enable proxy on $dest$.
mitre_attack_id:
- T1112
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 49
required_fields:
- _time
- Registry.registry_key_name
- Registry.registry_path
- Registry.user
- Registry.dest
- Registry.registry_value_name
- Registry.action
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_enable/proxyenable.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog