Skip to main content
Splunk Lantern

Registry activities

You might want to gather the latest registry values for a specific destination computer when doing the following:

Prerequisites 

Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.

Example

The registry is a very common place to detect anomalous changes that might indicate compromise or signs of privilege escalation. A search that displays all the registry changes made by a user via reg.exe is a great way to monitor for anomalous changes to the registry. 

To optimize the search shown below, you should specify an index and a time range. 

  1. Ensure that you are ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the Endpoint data model in the Processes and Registry nodes.
  2. Run the following search: 
    |tstats summariesonly=true allow_old_summaries=true values(Registry.registry_path) AS registry_path values(Registry.registry_key_name) AS registry_key_name count FROM datamodel=Endpoint.Registry WHERE Registry.dest = "<dest>" BY Registry.process_id Registry.dest 
    |rename "Registry.*" as "*" 
    |join [| tstats summariesonly=true allow_old_summaries=true count values(Processes.user) AS user values(Processes.process_name) AS process_name values(Processes.parent_process_name) AS parent_process_name FROM datamodel=Endpoint.Processes WHERE Processes.process_name = reg.exe BY Processes.process_id 
    |rename "Processes.*" as "*"]

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|tstats summariesonly=true allow_old_summaries=true values(Registry.registry_path) AS registry_path values(Registry.registry_key_name) AS registry_key_name count FROM datamodel=Endpoint.Registry WHERE Registry.dest = "<dest>" BY Registry.process_id Registry.dest  Query the Endpoint.Registry data model object for the process_id and destination that perform the change. The required <dest> field is the IP address of the machine to investigate. 
|rename "Registry.*" as "*"  Rename the data model object for better readability.
|join [| tstats summariesonly=true allow_old_summaries=true count values(Processes.user) AS user values(Processes.process_name) AS process_name values(Processes.parent_process_name) AS parent_process_name FROM datamodel=Endpoint.Processes WHERE Processes.process_name = reg.exe BY Processes.process_id 
|rename "Processes.*" as "*"]
Correlate registry changes with any process that used reg.exe to perform the changes. 

Result

The results give the details of the latest registry values for a specific destination computer.

For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.

  • Was this article helpful?