Uncommon Registry Persistence Change Detection

This detection identifies unusual modifications to less commonly altered registry keys, which may indicate stealthy persistence attempts on Windows systems. Adversaries exploit registry keys for persistence, ensuring malicious code executes on startup or during specific events. The rule filters out benign changes by excluding known legitimate processes and paths, focusing on suspicious alterations. The rule focuses on changes to registry keys such as HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell and HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run. This rule is designed for data generated by Elastic Defend and also supports third-party data sources such as Sysmon. The rule was last updated on 2026-05-04.

Attack Chain

1. An attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker executes code on the system, potentially using a dropper or exploit.
3. The attacker identifies uncommon registry keys suitable for persistence.
4. The attacker modifies the registry key to point to a malicious executable or script. This may involve adding a new entry or modifying an existing one.
5. The system restarts, or the user logs in, triggering the execution of the malicious code through the modified registry key.
6. The malicious code executes with the privileges of the user or system, depending on the registry key modified.
7. The attacker achieves persistence, allowing them to maintain access to the system even after restarts.
8. The attacker performs malicious activities such as data exfiltration, lateral movement, or deploying ransomware.

Impact

A successful attack can lead to persistent access to the compromised system, allowing the attacker to maintain control and execute malicious activities. This can lead to data theft, system disruption, or further compromise of the network. The impact can range from a single workstation being compromised to a widespread enterprise-level breach, depending on the attacker’s objectives and the scope of the initial compromise.

Recommendation

• Deploy the “Uncommon Registry Persistence Change” Sigma rule to your SIEM to detect modifications to uncommon registry persistence keys and tune for your environment.
• Enable Sysmon registry event logging to ensure the visibility required for the Sigma rule to function effectively (see references).
• Review and tune the filter conditions in the Sigma rule to reduce false positives, specifically excluding legitimate software installations, system maintenance processes, and administrative scripts.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the registry modification and correlating it with other suspicious activities.
• Block execution of known malicious executables and scripts identified during the investigation to prevent further compromise.