{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/registry-abuse/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","persistence","windows","registry-abuse"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers often disable Windows Defender services to evade detection and ensure the persistence of malware. This involves modifying specific registry keys that control the startup behavior of these services. By setting the \u0026lsquo;Start\u0026rsquo; value to \u0026lsquo;0x00000004\u0026rsquo;, the services are effectively disabled, preventing them from running automatically. This activity is a strong indicator of malicious intent, as it directly interferes with the endpoint\u0026rsquo;s security mechanisms, leaving the system vulnerable to further compromise. The DFIR Report has documented this technique in the context of IcedID infections leading to XingLocker ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an initial vector (e.g., phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains elevated privileges on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the registry keys corresponding to Windows Defender services such as \u003ccode\u003eWdBoot\u003c/code\u003e, \u003ccode\u003eWdFilter\u003c/code\u003e, \u003ccode\u003eWdNisDrv\u003c/code\u003e, \u003ccode\u003eWdNisSvc\u003c/code\u003e, \u003ccode\u003eWinDefend\u003c/code\u003e, and \u003ccode\u003eSecurityHealthService\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the \u003ccode\u003eStart\u003c/code\u003e value within these registry keys to \u003ccode\u003e0x00000004\u003c/code\u003e. For example, \u003ccode\u003ereg add \u0026quot;HKLM\\System\\CurrentControlSet\\Services\\WinDefend\u0026quot; /v Start /t REG_DWORD /d 4 /f\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s security services are disabled, preventing real-time threat detection and response.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys and executes malware, such as IcedID or other payloads, without interference from Windows Defender.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence mechanisms to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker may proceed to lateral movement, data exfiltration, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling Windows Defender services allows attackers to operate undetected on compromised systems, leading to potential data breaches, malware infections, and ransomware deployment. The DFIR Report details how IcedID malware employs this technique to facilitate XingLocker ransomware attacks. Successful execution results in complete loss of endpoint protection, increasing the risk of widespread infection and data compromise across the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 (Registry Event) logging to monitor registry modifications (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Disabling of Windows Defender Services via Registry Modification\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by registry modifications to Defender service keys with a value of \u003ccode\u003e0x00000004\u003c/code\u003e to identify potentially compromised systems.\u003c/li\u003e\n\u003cli\u003eCorrelate registry modification events with process creation events to identify the source of the malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor for processes accessing or modifying registry keys related to Windows Defender services (affected_products).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:34Z","date_published":"2024-01-03T18:22:34Z","id":"/briefs/2024-01-disabling-defender-services/","summary":"This brief covers the detection of adversaries disabling Windows Defender services by modifying specific registry keys to set the 'Start' value to '0x00000004', indicating an attempt to evade detection and maintain persistence.","title":"Detection of Windows Defender Service Disabling via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disabling-defender-services/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows Defender SmartScreen App Install Control"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-abuse","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers are disabling the Windows Defender SmartScreen App Install Control feature by modifying specific registry keys. This action circumvents a built-in Windows security control designed to prevent the installation of potentially malicious applications downloaded from the web. This allows for the installation of harmful applications without user prompts or restrictions, significantly increasing the risk of system compromise. This behavior, while not commonly seen in default configurations, allows for increased attack opportunities. The targeting scope includes Windows systems where the App Install Control feature is enabled, and success allows for further malicious payloads to be executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eConfigureAppInstallControl\u003c/code\u003e value under the \u003ccode\u003eHKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\SmartScreen\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eConfigureAppInstallControl\u003c/code\u003e value to \u0026ldquo;Anywhere\u0026rdquo; or modifies \u003ccode\u003eConfigureAppInstallControlEnabled\u003c/code\u003e to \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe Windows Defender SmartScreen App Install Control is disabled.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads and executes a malicious application from the web.\u003c/li\u003e\n\u003cli\u003eThe malicious application compromises the system, potentially leading to data theft or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the App Install Control can lead to the installation of malware, potentially affecting a large number of systems. This can result in data breaches, financial loss, and reputational damage. If successful, the attackers gain the ability to bypass built-in security features, increasing the likelihood of a successful compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 logging to monitor registry modifications (reference: Sysmon EventID 13 data source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect the modification of the specific registry keys related to App Install Control (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eImplement Group Policy settings to prevent users from modifying these registry keys (reference: \u003ccode\u003eRegistry.registry_path\u003c/code\u003e and \u003ccode\u003eRegistry.registry_value_data\u003c/code\u003e in the Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-app-install-control/","summary":"Attackers modify the Windows Registry to disable Windows Defender SmartScreen App Install Control, potentially allowing the installation of malicious web-based applications without restrictions, leading to system compromise and sensitive information exposure.","title":"Windows Defender SmartScreen App Install Control Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-app-install-control/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-abuse","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis analytic detects the deletion of the Windows Defender main profile registry key, a technique used by attackers to impair endpoint defenses. The deletion is monitored via Sysmon EventID 13, specifically looking for \u0026lsquo;deleted\u0026rsquo; actions within the Windows Defender registry path. This activity is often associated with Remote Access Trojans (RATs) and other malware, as seen in campaigns like the \u0026ldquo;LazyScripter\u0026rdquo; RAT detailed by Malwarebytes in February 2021. Successful deletion of this key can disable Windows Defender, allowing attackers to operate with reduced visibility and resistance, enabling further malicious activities on the compromised system. The \u0026ldquo;LazyScripter\u0026rdquo; RAT, for example, uses similar techniques to disable security products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unknown vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains elevated privileges on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a process (e.g., cmd.exe, powershell.exe) to interact with the registry.\u003c/li\u003e\n\u003cli\u003eThe process attempts to delete the Windows Defender profile registry key: \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSysmon Event ID 13 logs the registry key deletion event.\u003c/li\u003e\n\u003cli\u003eWindows Defender is disabled or its configuration is altered due to the registry change.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with deploying malware or performing malicious activities without interference from Windows Defender.\u003c/li\u003e\n\u003cli\u003eData exfiltration or other objectives are achieved.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of the Windows Defender profile registry key can severely compromise endpoint security. By disabling or weakening Windows Defender, attackers can operate with reduced visibility, allowing them to deploy malware, steal sensitive data, or establish persistent access without detection. This can lead to data breaches, financial loss, and reputational damage. The scope can range from a single endpoint to an entire organization, depending on the attacker\u0026rsquo;s objectives and the extent of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to monitor registry modifications and deletions, which is crucial for triggering the detections in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them based on your environment to minimize false positives and ensure accurate detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules promptly to identify and contain potential defense evasion attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden registry permissions to prevent unauthorized modifications to critical security settings such as the Windows Defender profile.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-win-defender-registry-deletion/","summary":"Detection of Windows Defender profile registry key deletion, indicating potential defense evasion by malware or threat actors aiming to disable security controls.","title":"Windows Defender Profile Registry Key Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-win-defender-registry-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Edge","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","registry-abuse"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying attempts to disable the Windows Defender phishing filter by modifying specific registry values. Attackers may attempt to disable this security feature to increase the likelihood of successful phishing attacks, where users are tricked into visiting malicious websites. The detection leverages Sysmon Event ID 13 to monitor changes to registry values associated with Microsoft Edge\u0026rsquo;s phishing filter settings. Disabling this filter allows malicious actors to deceive users into visiting harmful websites without triggering browser warnings. This can lead to potential security incidents, such as malware infections or credential theft, if users unknowingly access compromised sites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through social engineering or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains administrative privileges on the target system, if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or command-line tool (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the Windows Registry.\u003c/li\u003e\n\u003cli\u003eThe script or command modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\PhishingFilter\u003c/code\u003e or \u003ccode\u003eHKCU\\SOFTWARE\\Microsoft\\Edge\\PhishingFilter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe registry value \u0026ldquo;EnabledV9\u0026rdquo; or \u0026ldquo;PreventOverride\u0026rdquo; is set to \u0026ldquo;0x00000000\u0026rdquo; to disable the phishing filter.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies that the phishing filter is disabled in Microsoft Edge.\u003c/li\u003e\n\u003cli\u003eThe attacker launches a phishing campaign, directing users to malicious websites.\u003c/li\u003e\n\u003cli\u003eUsers, unaware of the disabled phishing filter, may visit the malicious websites, potentially leading to malware infection or data compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of the Windows Defender phishing filter can significantly increase the risk of successful phishing attacks. Users may unknowingly visit malicious websites, leading to malware infections, credential theft, or other data compromises. This can result in financial losses, reputational damage, and disruption of business operations. While the exact number of potential victims is unknown, the impact could be widespread if the attack is successful on multiple systems within an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to collect registry modification events, as this is required for the detections in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Windows Defender Phishing Filter Override via Registry Modification\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of registry modifications to the \u003ccode\u003e*\\MicrosoftEdge\\PhishingFilter*\u003c/code\u003e path, especially when \u003ccode\u003eregistry_value_data\u003c/code\u003e is set to \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing attacks and encourage them to be cautious when clicking on links or opening attachments from unknown sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-phishing-filter-override/","summary":"The analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter, potentially allowing attackers to deceive users into visiting malicious websites without browser warnings.","title":"Windows Defender Phishing Filter Override via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-phishing-filter-override/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","registry-abuse"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers are known to disable Windows AutoLogger sessions to impair defenses and evade detection. This technique involves modifying specific registry values associated with AutoLogger sessions and their providers, effectively blinding EDR solutions and log ingest tools. By setting the \u0026ldquo;Start\u0026rdquo; or \u0026ldquo;Enabled\u0026rdquo; values under the \u003ccode\u003e\\WMI\\Autologger\\\u003c/code\u003e registry key to \u003ccode\u003e0x00000000\u003c/code\u003e, adversaries can stop the collection of crucial event data. This activity is often observed post-compromise, as a means to conceal further malicious actions and maintain persistence on the affected system. Malware such as IcedID and ransomware variants have been observed using similar techniques to impair logging and detection capabilities. The scope of this threat includes any Windows system where adversaries have gained sufficient privileges to modify registry settings related to event logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the target system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative access, allowing them to modify system-level settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker identifies the registry keys associated with Windows AutoLogger sessions, typically located under \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker modifies the \u003ccode\u003eStart\u003c/code\u003e or \u003ccode\u003eEnabled\u003c/code\u003e registry values for specific AutoLogger sessions or providers within the \u003ccode\u003e\\WMI\\Autologger\\\u003c/code\u003e path. The values are set to \u003ccode\u003e0x00000000\u003c/code\u003e to disable the logging session.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may establish persistence through various methods.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally to other systems on the network, repeating the defense evasion steps to blind security tools across the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Ransomware Deployment:\u003c/strong\u003e With logging impaired, the attacker proceeds to exfiltrate sensitive data or deploy ransomware, hindering incident response efforts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can severely impair an organization\u0026rsquo;s ability to detect and respond to security incidents. By disabling AutoLogger sessions, attackers effectively blind EDR solutions and prevent the collection of critical event data. This can lead to delayed detection of malicious activity, increased dwell time, and ultimately, greater damage from data breaches or ransomware attacks. Several campaigns, including those involving IcedID and XingLocker ransomware, have leveraged similar techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 to monitor registry modifications, as specified in the \u003ccode\u003edata_source\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDisable AutoLogger Session\u003c/code\u003e to detect changes to AutoLogger registry values.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eDisable AutoLogger Session\u003c/code\u003e to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eReview and harden registry permissions to prevent unauthorized modifications to critical system settings.\u003c/li\u003e\n\u003cli\u003eUtilize the \u003ccode\u003ewindows_impair_defenses_disable_auto_logger_session_filter\u003c/code\u003e macro (referenced in the original Splunk search) to tune detections and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-disable-auto-logger/","summary":"An attacker disables Windows AutoLogger sessions by modifying specific registry values to evade defenses and blind EDR and log ingest tools.","title":"Windows AutoLogger Session Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-disable-auto-logger/"}],"language":"en","title":"CraftedSignal Threat Feed — Registry-Abuse","version":"https://jsonfeed.org/version/1.1"}