Skip to main content
 
 
 
Splunk Lantern

Registry keys used for privilege escalation

 

The Image File Execution Options registry keys are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.

To help prevent privilege escalation attacks in your organization, you'd like to create a search to look for a specific registry path—in this case Image File Execution Options—that malware often uses to elevate privileges. 

Data required  

Endpoint data

Procedure 

  1. To complete this process, your deployment needs to ingest endpoint data that records registry activity from your hosts, with logs with both the process name and command line from your endpoints. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. You should also ensure you are ingesting normalized endpoint data, populating the Registry node of the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
|tstats summariesonly=true allow_old_summaries=true count values(Registry.registry_key_name) AS registry_key_name values(Registry.registry_path) AS registry_path min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) BY Registry.dest  Registry.user 
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime) 
|rename "Registry.*" AS "*"

3. Modify your search as needed to filter out registry keys used to execute legitimate applications upon system startup.

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|tstats summariesonly=true allow_old_summaries=true count values(Registry.registry_key_name) AS registry_key_name values(Registry.registry_path) AS registry_path min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) BY Registry.dest  Registry.user  Query the Endpoint.Registry data model object. Filter results to field-value matches of. *Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options* for the registry path and either GlobalFlag or Debugger for the key name. Return the destination and user for each result.
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime) 
Convert these times into readable strings.
|rename "Registry.*" as "*" Rename the data model object for better readability.

Next steps

The search returns the count, the first time the activity was seen, the last time the activity was seen, the registry path that was modified, the host where the modification took place, and the user who performed the modification. 

For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.

You might also be interested in other processes associated with the Monitoring for signs of Windows privilege escalation attacks or Recognizing improper use of system administration tools use cases.