forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsuspicious_windows_registry_activities.yml
28 lines (28 loc) · 1.38 KB
/
suspicious_windows_registry_activities.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
name: Suspicious Windows Registry Activities
id: 2b1800dd-92f9-47dd-a981-fdf1351e5d55
version: 1
date: '2018-05-31'
author: Bhavin Patel, Splunk
description: Monitor and detect registry changes initiated from remote locations,
which can be a sign that an attacker has infiltrated your system.
narrative: "Attackers are developing increasingly sophisticated techniques for hijacking\
\ target servers, while evading detection. One such technique that has become progressively\
\ more common is registry modification.\\\n The registry is a key component of the\
\ Windows operating system. It has a hierarchical database called \"registry\" that\
\ contains settings, options, and values for executables. Once the threat actor\
\ gains access to a machine, they can use reg.exe to modify their account to obtain\
\ administrator-level privileges, maintain persistence, and move laterally within\
\ the environment.\\\n The searches in this story are designed to help you detect\
\ behaviors associated with manipulation of the Windows registry."
references:
- https://redcanary.com/blog/windows-registry-attacks-threat-detection/
- https://attack.mitre.org/wiki/Technique/T1112
tags:
analytic_story: Suspicious Windows Registry Activities
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection