From Registry With Love: Malware Registry Abuses

The Windows Registry is one of the most powerful Windows operating system features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware or adversaries abuse this hierarchical database to perform malicious tasks on a victim host or environment.  Over the last 2 years, the Splunk Threat Research Team has analyzed and reverse engineered some of the most prevalent and successful malware families. During this process we learned about the many ways the Windows Registry can be abused for malicious purposes.

We will share some of these findings, dive deep into each tactic and show how the registry plays a key role at each stage of an attack. We will also describe the detections developed by the Splunk Threat Research Team (STRT) using the Splunk Sysmon TA and the Splunk Common Information Model (CIM). This article may help security analysts or digital forensic analysts identify evidence of adversary tradecraft that abuses the Windows Registry. 

This blog describes common Windows Registry abuses leveraged by current and relevant malware families in the wild across MITRE ATT&CK tactics and techniques. We saw how flexible, rich and powerful the modification of Registry keys are in terms of attack and, in this article, we covered 8 of 14 MITRE ATT&CK tactics.

Why Should You Care?

Successfully identifying malware continues to be a challenging and difficult task for security teams. Signatures and heuristics are constantly bypassed by malware authors in a cat-and-mouse race. The Splunk Threat Research Team recommends complementing anti-malware prevention controls with a detection approach to keep your networks clean. As we have seen in this blog post, malware authors commonly abuse the Windows Registry and this introduces a great detection opportunity that is difficult to bypass. Cyber defenders need to design and deploy effective monitoring capabilities that allow them to detect and respond to suspicious registry creation, modification and deletion.

Windows Registry Structure

The Windows Registry contains two basic elements, keys and values. Registry keys can be considered an object container or folder that may contain subkeys and values, while the Registry values are the non-container objects similar to files. The screenshot below shows the structural part of the registry. Understanding the structure will help analysts figure out what modifications have been made and what might be the effect of those Registry changes.

Discovery

The Registry can store valuable information about the operating system, specific applications or settings that may be used by adversaries to stage future operations. Typically, host level information is stored in the HKEY_LOCAL_MACHINE hive. Within this hive it is possible to identify all software installed and operating system features enabled. As an example, many objects that may be enabled via Windows Group Policy are turned on/off within this hive (among others). In addition to host and software information, this hive also contains the SAM and Security keys, related to credential access, which we will showcase later. To simulate different adversary tradecraft, check out Atomic Red Team T1012 which describes the many ways to gather host and software from the registry.   

Late last year we blogged about Remcos RAT, which is a common remote access trojan with many features built in for an adversary. Remcos at the time was being utilized by FIN7 to maintain access. Within that frame, the adversary was utilizing the registry to identify product information as seen in Figure 1.

^{Figure 1}

Similarly, we analyzed Trickbot mid 2021. Trickbot is a popular crimeware carrier that allows malicious actors to deliver multiple types of payloads. Figure 2 shows how the “Systeminfo64.dll” module of Trickbot malware collects all installed applications in the compromised host by querying the “uninstall” Registry.

^{Figure 2}

The registry is a treasure trove of host information that an adversary may collect data from and analyze. As showcased, Trickbot and Remcos, among many, build in reconnaissance techniques to help the operator decide next steps. Think of it as a way for the adversary to go back and craft their next move for the next phase.

Persistence And Privilege Escalation

Typically after executing discovery techniques,  an adversary may look to persist or perform privilege escalation. This may occur in many ways, but within the registry there is a large trove of registry keys to persist or elevate privileges. 

There are many common known values that allow an adversary to run their payload upon boot. In fact, we have a query that looks for many of them here:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`

Non-malicious software may use these keys for normal operation, however a new value should be reviewed based on prevalence, the process and the account performing the behavior. 

Registry Run Keys

A popular registry key leveraged for persistence is the “Run” Registry entry. The Run key may allow malicious files to automatically execute upon reboot of the compromised system. Figure 3 below shows how malicious.exe creates a reg run entry to persist on a targeted host.

^{Figure 3}

Boot or Logon Autostart Execution

Another common technique is to create or modify existing services to gain persistence and perform privilege escalation. Figure 3.1 below is the event simulated with the Atomic Red Team technique T1574.011, which simulates a threat actor looking for services with weak permissions in the Windows Registry. If such services exist, the actor can modify the file path to point to a malicious binary and the next time the service starts, malicious code will be executed. An example is shown below.

^{Figure 3.1}

Built-in Local Administrator Accounts

Enabling the built-in local Administrator account, which is disabled by default, is another technique abused by adversaries to achieve persistence. This technique was seen in “BlackMatter Ransomware” (see the reference blog from Trend Micro) to automatically logon to the compromised host after triggering safe mode boot. Below is the short batch script to simulate this technique. Atomic Red Team T1562.001 also has several ways to simulate it. 

reg  add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon  /t REG_SZ /d 1

reg  add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d administrator /f

Additionally,  adversaries leverage application Shimming, the Printer Registry, Safeboot Registry, Active Setup, logon script and many more. Below is a list of analytics the STRT has developed across the spectrum of persistence and privilege escalation abuse in the Windows Registry.

Name	Technique ID	Tactic
Registry Keys Used For Persistence	T1547.001	Persistence, Privilege Escalation
Auto Admin Logon Registry Entry	T1547.001, T1552.002	Credential Access, Persistence, Privilege Escalation
Registry Keys Used For Privilege Escalation	T1546.012	Persistence, Privilege Escalation
Add DefaultUser And Password In Registry	T1547.001, T1552.002	Credential Access, Persistence, Privilege Escalation
Registry Keys for Creating SHIM Databases	T1546.011	Persistence, Privilege Escalation
Active Setup Registry Autostart	T1547.014	Persistence, Privilege Escalation
Time Provider Persistence Registry	T1547.003	Persistence, Privilege Escalation
Windows Service Creation Using Registry Entry	T1574.011	Defense Evasion, Persistence, Privilege Escalation
Start Up During Safe Mode Boot	T1547.001	Persistence, Privilege Escalation
Print Processor Registry Autostart	T1547.012	Persistence, Privilege Escalation
Logon Script Event Trigger Execution	T1037.001	Persistence, Privilege Escalation
Allow Operation with Consent Admin	T1548	Defense Evasion, Privilege Escalation
Screensaver Event Trigger Execution	T1546.002	Persistence, Privilege Escalation
Change Default File Association	T1546.001	Persistence, Privilege Escalation
Suspicious Changes to File Associations	T1546.001	Persistence, Privilege Escalation

Defense Evasion

From discovery, persistence and privilege escalation, an adversary will eventually need to evade other controls in place. The Windows Registry plays a role here as most security products and applications create a Registry entry as part of their installation. Windows itself is riddled with different entries that  adversaries abuse to evade detections, bypass User Account Control (UAC) and impair security products.

User Account Control Bypass

One example is bypassing User Account Control to elevate process privileges or execute elevated COM objects without prompting the user through the UAC notification message box. Figure 4 is a code snippet of how Remcos RAT attempts to disable the UAC through the registry by checking and disabling the EnableLUA value.

 _{Figure 4}

Adversaries may also add an entry to eventvwr.exe and fodhelper.exe registry keys to bypass UAC. These two Windows applications have a high integrity level (admin rights) process that can ignore UAC. Figure 5.1 and Figure 5.2 show how the IcedID malware bypasses UAC using this technique. By overwriting the executable path on the registry values of these two registry keys, malicious code can bypass UAC and run in high integrity. Simulating this technique is available in Atomic Red Team T1548.002.

^{Figure 5.1}

^{Figure 5.2}

Aside from UAC bypasses, malware also commonly will try to disable security tools like ETW, security event logs and the Windows Defender Antivirus. Figure 6 is a screenshot of the batch script identified by Remcos loaders that evade or disable Windows Defender Antivirus features, disable system restore point and many other registry values.

^{Figure 6}

Adversaries may also abuse the Registry capability to disable or modify group policy features, Windows notification or even disable common Windows applications like cmd.exe, Task Manager and Regedit to make it difficult for analysts and forensic responders to react to the attack. Below is a simple batch script that disables cmd, TaskMgr and Registry tool.

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f

Other techniques adversaries may leverage to perform Defense Evasion include disabling a plethora of security controls security teams rely on like AMSI, specific Windows Defender features, SystemRestore, among many others. Below is a list of analytics the STRT has developed across the spectrum of defense evasion techniques that abuse the Windows Registry.

Name	Technique ID	Tactic
Windows WSReset UAC Bypass	T1548.002	Privilege Escalation, Defense Evasion
Windows Eventvwr UAC Bypass	T1548.002	Privilege Escalation, Defense Evasion
ETW Registry Disabled	T1562,T1562.006	Defense Evasion
Disable Defender AntiVirus Registry	T1562.001	Defense Evasion
Disable Security Logs Using MiniNt Registry	T1112	Defense Evasion
Disable AMSI Through Registry	T1562.002	Defense Evasion
Disable Defender MpEngine Registry	T1562.001	Defense Evasion
Disable UAC Remote Restriction	T1548.002	Defense Evasion, Privilege Escalation
Windows Defender Exclusion Registry Entry	T1562.002	Defense Evasion
Windows DisableAntiSpyware Registry	T1562.001	Defense Evasion
SilentCleanup UAC Bypass	T1548.002	Defense Evasion, Privilege Escalation
Sdclt UAC Bypass	T1548.002	Defense Evasion, Privilege Escalation
NET Profiler UAC bypass	T1548.002	Defense Evasion, Privilege Escalation
Disable Windows SmartScreen Protection	T1562.001	Defense Evasion
Disable Defender Spynet Reporting	T1562.001	Defense Evasion
Disable Defender Submit Samples Consent Feature	T1562.001	Defense Evasion
Disable Defender BlockAtFirstSeen Feature	T1562.001	Defense Evasion
Disable Defender Enhanced Notification	T1562.001	Defense Evasion
Disable Windows Behavior Monitoring	T1562.001	Defense Evasion
Malicious InProcServer32 Modification	T1218.010	Defense Evasion
FodHelper UAC Bypass	T1548.002	Defense Evasion, Privilege Escalation
SLUI RunAs Elevated	T1548.002	Defense Evasion, Privilege Escalation
Disabling Defender Services	T1562.001	Defense Evasion
Disabling SystemRestore In Registry	T1562.001	Defense Evasion
Disable Security Logs Using MiniNt Registry	T112	Defense Evasion
Windows Modify Show Compress Color And Info Tip Registry	T112	Defense Evasion
Disable Windows App Hotkeys	T1562.001	Defense Evasion
Hide User Account From Sign-In Screen	T1562.001	Defense Evasion
Disabling NoRun Windows	T1562.001	Defense Evasion
Disabling ControlPanel	T1562.001	Defense Evasion
Disabling CMD Application	T1562.001	Defense Evasion
Disabling Task Manager	T1562.001	Defense Evasion
Disabling FolderOptions Windows Feature	T1562.001	Defense Evasion
Revil Registry Entry	T1112	Defense Evasion
Remcos client registry install entry	T1112	Defense Evasion

Execution

Also within the Registry is the ability to bypass restrictions. For example, in PowerShell, to allow the execution of scripts on a host, an adversary may bypass the execution policy of PowerShell by modifying or adding an execution policy registry entry for PowerShell similar to  the simple command below. 

reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell /v ExecutionPolicy /d Unrestricted /f
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell /v ExecutionPolicy /d Bypass /f

Image File Execution

Hijacking the image file execution options (IFEO) debugger registry is another key abused by also being abused by threat actors. IFEOs enable a developer to attach a debugger to an application. When a targeted process is created, a debugger present in the IFEO registry will be launched too.

Below is a simple command to execute this technique.

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\C:\Windows\System32\calc.exe" /v Debugger /d "C:\windows\system32\cmd.exe"

Fileless Execution Through Registry 

Fileless malware typically describes a threat that does not rely on files to operate, such as a backdoor that lives only in the memory. Adversaries can abuse the Windows Registry to install fileless malware on victim systems. One example is the execution of a malicious script by the Kovter malware leveraging registry entries. By using this technique, attackers attempt to make their malicious code bypass common security controls like anti malware. 

Below is an example of a .reg file that executes a Javascript script.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atomic"="\"mshta\" \"javascript:a=new ActiveXObject(\"WScript.Shell\");a.Run(\"calc.exe\",0,true);close();\""

Name	Technique ID	Tactic
windows_mshta_execution_in_registry.yml	T1218.005	Defense Evasion
Detect mshta inline hta execution	T1218.005	Defense Evasion
Set Default PowerShell Execution Policy To Unrestricted or Bypass	T1059.001	Execution

Lateral Movement

The Windows Registry can also be a vector abused by adversaries during lateral movement. For example, different campaigns over the year that we've triaged abuse the registry to modify inbound traffic ports or enable terminal services. The DFIR Report blogged about how the Xmrig Coinminer malware changes the port number used by the remote desktop protocol to allow adversaries to move laterally with minimal noise in normal RDP port monitoring (default port 3389). Below is a simple PowerShell command that may be used to simulate the technique also available in Atomic Red Team T1021.001

$portvalue = 3390
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal 
Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue 

Name	Technique ID	Tactic
Enable RDP In Other Port Number	T1021.001	Lateral Movement
Allow Inbound Traffic By Firewall Rule Registry	T1021.001	Lateral Movement

Collection

The Registry may also be a source of sensitive information that may be collected and  exfiltrated or may be used by an adversary to continue their long term operation against the organization. During triage of different IcedID samples the below list of keys were collected related to Outlook information that included user profile, email signatures and browser password storage. This information can be used by the Threat Actors or adversaries to their phishing email campaigns to compromise specific targets or networks. 

• HKCU\Software\Microsoft\Office\%u.0\Outlook\Profiles
• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
• HKCU\Software\Microsoft\ActiveSync\Partners
• HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Credential Access

Since everything else resides in the registry, so do credentials. An adversary may dump specific keys to escalate privileges on an endpoint. The Security Account Manager (SAM) database contains local accounts for the host. Once this database gets to the hand of the threat actors, they can extract password hashes for high privileged users and attempt to crack them offline. Below is a script that will simulate this behavior. We also recommend the Atomic Red Team T1003.002 for testing this attack.

C:\Windows\system32\cmd.exe /c "reg save HKLM\sam %%temp%%\sam & reg save HKLM\system %%temp%%\system & reg save HKLM\security %%temp%%\security"

Name	Technique ID	Tactic
Attempted Credential Dump From Registry via Reg exe	T1003.002	Credential Access
Enable WDigest UseLogonCredential Registry	T1003	Credential Access

Impact

A commonality over the last 2 years is registry keys that may be used by ransomware operators to modify the wallpaper or disable crash dumps. Adversaries use this as a way to notify the end user that ransomware has been installed. Figure 7 highlights the REvil ransomware campaign abusing such techniques.

^{Figure 7}

 

Other techniques adversaries may leverage to perform this tactic by stopping services, trigger system shutdown/reboot, wiping registry hives or disabling crashdump like what hermetic wiper malware did.

Name	Technique ID	Tactic
Modification Of Wallpaper	T1491	Impact
Windows Disable Memory Crash Dump	T1485	Impact
Windows Defacement Modify Transcodedwallpaper File	T1491	Impact

Automating with SOAR Playbooks

All of the previously listed detections create entries in the Splunk Enterprise Security risk index by default, and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The following community Splunk SOAR playbooks can also be used in conjunction with some of the previously described analytics:

Playbook	Description
Internal Host  WinRM Investigate	This playbook performs a general investigation on key aspects of a Windows device  using Windows Remote Management. Important files related to the endpoint are  generated, bundled into a zip, and copied to the container vault.
Active Directory  Reset Password	This playbook resets the password of a potentially compromised user account. First, an analyst is prompted to evaluate the situation and choose whether to reset the  account. If they approve, a strong password is generated and the password is reset.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections available via push update.

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the following for their contributions to this post: Teoderick Contrera, Michael Haag, Mauricio Velazco, Rod Soto, Jose Hernandez, Patrick Barreiss, Lou Stella, Bhavin Patel and Eric McGinnis.