Skip to main content
Splunk Lantern

Registry key modifications

Ransomware can use changes in startup registry keys to launch a program every time the targeted system is started. This tactic can be used, for example, to start a keylogger program that steals a user's passwords, allowing the ransomware attack to take place. This search looks for modifications to registry keys that can be used to launch an application or service at system startup.

Data required 

Endpoint data

Procedure

  1. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting endpoint data that records registry activity from your hosts to populate the Endpoint data model in the Processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true count, values("Registry.registry_key_name") AS registry_key_name, values("Registry.registry_path") AS registry_path, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Registry WHERE ("Registry.registry_path"=*currentversion\\run* OR "Registry.registry_path"=*currentVersion\\Windows\\Appinit_Dlls* OR "Registry.registry_path"=CurrentVersion\\Winlogon\\Shell* OR "Registry.registry_path"=*CurrentVersion\\Winlogon\\Userinit* OR "Registry.registry_path"=*CurrentVersion\\Winlogon\\VmApplet* OR "Registry.registry_path"=*currentversion\\policies\\explorer\\run* OR "Registry.registry_path"=*currentversion\\runservices* OR "Registry.registry_path"=*\\CurrentControlSet\\Control\\Lsa\\* OR "Registry.registry_path"="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" OR "Registry.registry_path"=HKLM\\SOFTWARE\\Microsoft\\Netsh\\*) BY "Registry.dest", "Registry.user" 
| rename "Registry.*" AS "*"
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats allow_old_summaries=true count, values("Registry.registry_key_name") AS registry_key_name, values("Registry.registry_path") AS registry_path, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Registry WHERE ("Registry.registry_path"=*currentversion\\run* OR "Registry.registry_path"=*currentVersion\\Windows\\Appinit_Dlls* OR "Registry.registry_path"=CurrentVersion\\Winlogon\\Shell* OR "Registry.registry_path"=*CurrentVersion\\Winlogon\\Userinit* OR "Registry.registry_path"=*CurrentVersion\\Winlogon\\VmApplet* OR "Registry.registry_path"=*currentversion\\policies\\explorer\\run* OR "Registry.registry_path"=*currentversion\\runservices* OR "Registry.registry_path"=*\\CurrentControlSet\\Control\\Lsa\\* OR "Registry.registry_path"="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" OR "Registry.registry_path"=HKLM\\SOFTWARE\\Microsoft\\Netsh\\*) BY "Registry.dest", "Registry.user"  Query the Endpoint.Registry data model object to search for registry key modifications, and sort by destination then user.
| rename "Registry.*" AS "*"  Rename data model fields for better readability.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
Convert these times into readable strings.

Next steps

False positives from this search may occur because there are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.

If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.