{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/exclaimer-ltd/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Edge","Cisco Spark","Admin By Request","Cloud Signature Update Agent","Vantage","Adobe Reader and Acrobat Manager"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","runkey"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","FastTrack Software","Exclaimer Ltd","Lenovo","Adobe"],"content_html":"\u003cp\u003eAttackers often modify registry run keys to achieve persistence on a system. By adding entries to these keys, they ensure that a malicious program executes automatically whenever a user logs in. This technique allows the attacker to maintain access to the compromised system even after reboots or other interruptions. The programs added to these run keys execute under the context of the user account, inheriting its permissions. This activity is often difficult to distinguish from legitimate software installations or updates, requiring careful analysis to identify malicious intent. Elastic has observed this activity and created a detection rule to identify this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies registry run key locations for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a registry run key (e.g., \u003ccode\u003eHKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u003c/code\u003e) using tools such as \u003ccode\u003ereg.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a malicious executable path to the registry key.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or a user logs in.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is launched automatically as part of the logon process.\u003c/li\u003e\n\u003cli\u003eThe malicious executable establishes a connection to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems, enabling them to perform unauthorized activities such as data theft, lateral movement, and deployment of ransomware. While each instance may not cause immediate critical damage, the cumulative effect of multiple persistent infections across an environment can lead to significant data breaches and operational disruption. The Elastic rule attempts to minimize false positives with built-in filters for common legitimate applications and processes like \u003ccode\u003ectfmon.exe\u003c/code\u003e, but tuning is required.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious modifications to registry run keys and tune it to filter out legitimate application updates.\u003c/li\u003e\n\u003cli\u003eEnable registry event logging to capture modifications made to the registry, ensuring that the Sigma rule can function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, examining the parent process of the process modifying the registry for suspicious activity.\u003c/li\u003e\n\u003cli\u003eBlock known malicious executables and domains identified during triage to prevent further infection.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions like Elastic Defend to gain enhanced visibility into endpoint activity and detect malicious behavior associated with persistence mechanisms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-run-key-registry-modification/","summary":"Attackers modify registry run keys or startup keys to achieve persistence by referencing a program that executes when a user logs in or the system boots.","title":"Startup or Run Key Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-run-key-registry-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Exclaimer Ltd","version":"https://jsonfeed.org/version/1.1"}