Skip to main content
Splunk Lantern

Registry activities

 

The registry is a very common place to detect anomalous changes that might indicate compromise or signs of privilege escalation. A search that displays all the registry changes made by a user via reg.exe is a great way to monitor for anomalous changes to the registry. 

Data required 

System log data

Procedure

  1. Ensure that your deployment is ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the Endpoint data model in the Processes and Registry nodes.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
|tstats summariesonly=true allow_old_summaries=true values(Registry.registry_path) AS registry_path values(Registry.registry_key_name) AS registry_key_name count FROM datamodel=Endpoint.Registry WHERE Registry.dest = "<dest>" BY Registry.process_id Registry.dest 
|rename "Registry.*" as "*" 
|join [| tstats summariesonly=true allow_old_summaries=true count values(Processes.user) AS user values(Processes.process_name) AS process_name values(Processes.parent_process_name) AS parent_process_name FROM datamodel=Endpoint.Processes WHERE Processes.process_name = reg.exe BY Processes.process_id 
|rename "Processes.*" as "*"]

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|tstats summariesonly=true allow_old_summaries=true values(Registry.registry_path) AS registry_path values(Registry.registry_key_name) AS registry_key_name count FROM datamodel=Endpoint.Registry WHERE Registry.dest = "<dest>" BY Registry.process_id Registry.dest  Query the Endpoint.Registry data model object for the process_id and destination that performed the change. The required <dest> field is the IP address of the machine to investigate. 
|rename "Registry.*" as "*"  Rename the data model object for better readability.
|join [| tstats summariesonly=true allow_old_summaries=true count values(Processes.user) AS user values(Processes.process_name) AS process_name values(Processes.parent_process_name) AS parent_process_name FROM datamodel=Endpoint.Processes WHERE Processes.process_name = reg.exe BY Processes.process_id 
|rename "Processes.*" as "*"]
Correlate registry changes with any process that used reg.exe to perform the changes. 

Next steps

The results give the details of the latest registry values for a specific destination computer.

For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.

Finally, you might be interested in other processes associated with the Recognizing improper use of system administration tools and Monitoring for signs of Windows privilege escalation attacks use cases.