Skip to main content
Splunk Lantern

Registry keys used for privilege escalation

The Image File Execution Options registry keys are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. You might want to look for modifications to registry keys that can be used to elevate privileges when doing the following:

Prerequisites 

Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.

Example

To help prevent privilege escalation attacks in your organization, you'd like to create a search to look for a specific registry path—in this case Image File Execution Options—that malware often uses to elevate privileges. 

To optimize the search shown below, you should specify an index and a time range. 

  1. Ensure that your deployment is ingesting data that records registry activity from your hosts to populate the Endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
  2. Run the following search: 
    |tstats summariesonly=true allow_old_summaries=true count values(Registry.registry_key_name) AS registry_key_name values(Registry.registry_path) AS registry_path min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) BY Registry.dest  Registry.user 
    |convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
    |convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime) 
    |rename "Registry.*" as "*"
    
  3. Modify your search as needed to filter out registry keys used to execute legitimate applications upon system startup.

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|tstats summariesonly=true allow_old_summaries=true count values(Registry.registry_key_name) AS registry_key_name values(Registry.registry_path) AS registry_path min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) BY Registry.dest  Registry.user  Query the Endpoint.Registry data model object. Filter results to field-value matches of. *Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options* for the registry path and either GlobalFlag or Debugger for the key name. Return the destination and user for each result.
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime) 
Convert these times into readable strings.
|rename "Registry.*" as "*" Rename the data model object for better readability.

Result

The search returns the count, the first time the activity was seen, the last time the activity was seen, the registry path that was modified, the host where the modification took place, and the user who performed the modification. 

For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.

  • Was this article helpful?