Windows Registry Modification to Disable Run Application

This detection focuses on a specific Windows Registry modification that disables the Run application, a common shortcut for executing programs and scripts directly. Attackers may perform this action to hinder system cleanup efforts and complicate the execution of essential security tools. The Run application is disabled by modifying the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun and setting its value to 0x00000001. This behavior may be part of a broader effort to establish persistence or evade defenses on a compromised system. The detection logic monitors for these specific registry changes, which can be indicative of malicious activity when performed without legitimate administrative justification.

Attack Chain

1. Initial Access: An attacker gains initial access to the system, possibly through phishing, exploitation of a vulnerability, or stolen credentials.
2. Privilege Escalation: The attacker escalates privileges to gain the necessary permissions to modify the Windows Registry. This might involve exploiting a local privilege escalation vulnerability or using stolen administrator credentials.
3. Persistence: The attacker modifies the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun and sets its value to 0x00000001 to disable the Run application.
4. Defense Evasion: Disabling the Run application makes it more difficult for users or security tools to execute programs, potentially hindering remediation efforts.
5. Further Payload Deployment: With defenses weakened, the attacker deploys additional malicious payloads or tools to achieve their objectives.
6. Lateral Movement: The attacker leverages their access and control to move laterally within the network, compromising other systems and resources.
7. Objective Completion: The attacker achieves their final objective, such as data theft, system disruption, or ransomware deployment.

Impact

Successful execution of this attack can significantly hinder incident response and system cleanup efforts. By disabling the Run application, attackers can prevent users and security tools from quickly executing essential programs and scripts. This can prolong the duration of the attack and increase the overall damage. While the specific number of affected systems or organizations is not detailed, this technique could be used in targeted attacks against specific organizations or industries.

Recommendation

• Enable Sysmon Event ID 13 to monitor registry modifications to activate the rule below (https://splunkbase.splunk.com/app/5709).
• Deploy the Sigma rule to your SIEM to detect suspicious modifications to the NoRun registry key.
• Investigate any alerts generated by the Sigma rule, focusing on the process and user accounts involved in the registry modification.
• Implement strict access control policies to limit who can modify critical registry settings.