{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/registry_modification/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Outlook"],"_cs_severities":["medium"],"_cs_tags":["persistence","registry_modification","outlook","email"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are known to modify Outlook security settings by directly manipulating registry values. This tactic allows them to bypass built-in security controls and enable potentially malicious functionalities such as running unsafe mail client rules. This circumvention of security measures can be leveraged for various malicious purposes, including persistence, data exfiltration, and further compromise of the victim\u0026rsquo;s system. The specific registry keys targeted reside under \u003ccode\u003e\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security\\\u003c/code\u003e. This technique has been observed in various attack scenarios and poses a significant risk to organizations relying on Outlook for email communication. The modification of these registry settings may be performed by various means, ranging from manually executed commands to automated scripts deployed as part of a larger attack campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods such as phishing or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the specific registry keys controlling Outlook security settings, located under \u003ccode\u003e\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool or script (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the registry values related to Outlook security settings.\u003c/li\u003e\n\u003cli\u003eSpecifically, values are modified to enable the execution of \u0026ldquo;unsafe\u0026rdquo; mail client rules, potentially allowing arbitrary code execution via crafted emails.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious email designed to trigger the newly enabled, unsafe mail rules.\u003c/li\u003e\n\u003cli\u003eUpon receiving the email, Outlook processes the rules, executing the attacker\u0026rsquo;s payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, enabling further malicious activities, such as data exfiltration or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Outlook security settings allows attackers to execute arbitrary code within the context of the user account running Outlook. This can lead to the compromise of sensitive information contained within emails, the installation of malware, and further propagation of the attack throughout the organization. The scope of the impact depends on the privileges of the user account and the attacker\u0026rsquo;s objectives, potentially affecting all users within an organization if the attacker gains domain administrator access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Outlook Security Settings Updated - Registry\u0026rdquo; to your SIEM to detect unauthorized modifications to Outlook security-related registry keys (logsource: registry_set/windows).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) modifying registry keys under \u003ccode\u003e\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security\\\u003c/code\u003e (Sigma rule below, logsource: process_creation/windows).\u003c/li\u003e\n\u003cli\u003eImplement strict application control policies to prevent unauthorized execution of scripts and executables that could be used to modify registry settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-outlook-registry-security-settings/","summary":"Attackers modify Outlook security settings via registry changes to enable malicious mail rules and bypass security controls, potentially leading to persistence and data compromise.","title":"Outlook Security Settings Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-outlook-registry-security-settings/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR"],"_cs_severities":["low"],"_cs_tags":["persistence","registry_modification","werfault"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can abuse the Windows Error Reporting (Werfault) service to establish persistence on a compromised system. This is achieved by modifying the ReflectDebugger registry key. When Werfault is executed with the \u003ccode\u003e-pr\u003c/code\u003e parameter, it will execute the debugger specified in the ReflectDebugger registry key. This allows attackers to execute arbitrary code every time the Windows Error Reporting utility is triggered. The technique involves modifying specific registry paths associated with the ReflectDebugger. This behavior has been documented as a persistence mechanism in malware analysis reports.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to modify the Windows Error Reporting ReflectDebugger registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the ReflectDebugger value within one of the following registry paths: \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e, \u003ccode\u003e\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e, or \u003ccode\u003eMACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the ReflectDebugger value to a malicious executable or script.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers Werfault.exe with the \u003ccode\u003e-pr\u003c/code\u003e parameter, either manually or through a system event.\u003c/li\u003e\n\u003cli\u003eWerfault.exe executes the attacker-controlled code specified in the ReflectDebugger registry value.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, as the malicious code is executed each time Werfault is triggered with the \u003ccode\u003e-pr\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence on the targeted system. This can lead to the execution of arbitrary code, potentially resulting in data theft, further malware installation, or complete system compromise. The impact is limited by the permissions of the Werfault process. While no specific victim counts are available, this technique can affect any Windows system where the attacker can modify the registry.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWerfault ReflectDebugger Registry Modification\u003c/code\u003e to detect unauthorized modifications to the ReflectDebugger registry key (logsource: \u003ccode\u003eregistry_set\u003c/code\u003e, rule title).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to detect the execution of Werfault with the \u003ccode\u003e-pr\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the specific ReflectDebugger paths mentioned in the overview section (\u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-werfault-reflectdebugger-persistence/","summary":"Attackers may establish persistence by modifying the ReflectDebugger registry key associated with Windows Error Reporting to execute arbitrary code when Werfault is invoked with the '-pr' parameter.","title":"Werfault ReflectDebugger Persistence via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-werfault-reflectdebugger-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — Registry_modification","version":"https://jsonfeed.org/version/1.1"}