/
windows_modify_registry_updateserviceurlalternate.yml
66 lines (66 loc) · 2.8 KB
/
windows_modify_registry_updateserviceurlalternate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Windows Modify Registry UpdateServiceUrlAlternate
id: ca4e94fb-7969-4d63-8630-3625809a1f70
version: 1
date: '2023-04-21'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
description: The following analytic identifies a suspicious registry modification of Windows auto update configuration.
This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or
to be able to compromise the target host with zero day exploit or as an additional defense evasion technique.
RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host.
This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry
where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate"
by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name
| `drop_dm_object_name(Registry)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_modify_registry_updateserviceurlalternate_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
endpoint product.
known_false_positives: Administrators may enable or disable this feature that may
cause some false positive.
references:
- https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499
tags:
analytic_story:
- RedLine Stealer
asset_type: Endpoint
confidence: 50
impact: 50
message: A registry modification in Windows auto update configuration on $dest$
mitre_attack_id:
- T1112
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Registry.registry_key_name
- Registry.registry_path
- Registry.user
- Registry.dest
- Registry.registry_value_name
- Registry.action
- Registry.registry_value_data
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog