Registry activities
The registry is a very common place to detect anomalous changes that might indicate compromise or signs of privilege escalation. A search that displays all the registry changes made by a user via reg.exe is a great way to monitor for anomalous changes to the registry.
Data required
Procedure
- Ensure that your deployment is ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the Endpoint data model in the Processes and Registry nodes.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
|tstats summariesonly=true allow_old_summaries=true values(Registry.registry_path) AS registry_path values(Registry.registry_key_name) AS registry_key_name count FROM datamodel=Endpoint.Registry WHERE Registry.dest = "<dest>" BY Registry.process_id Registry.dest |rename "Registry.*" as "*" |join [| tstats summariesonly=true allow_old_summaries=true count values(Processes.user) AS user values(Processes.process_name) AS process_name values(Processes.parent_process_name) AS parent_process_name FROM datamodel=Endpoint.Processes WHERE Processes.process_name = reg.exe BY Processes.process_id |rename "Processes.*" as "*"]
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
|tstats summariesonly=true allow_old_summaries=true values(Registry.registry_path) AS registry_path values(Registry.registry_key_name) AS registry_key_name count FROM datamodel=Endpoint.Registry WHERE Registry.dest = "<dest>" BY Registry.process_id Registry.dest | Query the Endpoint.Registry data model object for the process_id and destination that performed the change. The required <dest> field is the IP address of the machine to investigate. |
|rename "Registry.*" as "*" | Rename the data model object for better readability. |
|join [| tstats summariesonly=true allow_old_summaries=true count values(Processes.user) AS user values(Processes.process_name) AS process_name values(Processes.parent_process_name) AS parent_process_name FROM datamodel=Endpoint.Processes WHERE Processes.process_name = reg.exe BY Processes.process_id |rename "Processes.*" as "*"] |
Correlate registry changes with any process that used reg.exe to perform the changes. |
Next steps
The results give the details of the latest registry values for a specific destination computer.
For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.
Finally, you might be interested in other processes associated with the Recognizing improper use of system administration tools and Monitoring for signs of Windows privilege escalation attacks use cases.