Monitor AutoRun Registry Keys

Description

Attackers often add malware to the Windows Autorun registry keys to maintain persistence. This search looks through registry data for suspicious activities.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

High (?)

SPL Difficulty

Basic

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence

MITRE ATT&CK Techniques

Registry Run Keys / Startup Folder

MITRE Threat Groups

APT18
APT19
APT29
APT3
APT32
APT33
APT37
APT39
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
Darkhotel
Dragonfly 2.0
FIN10
FIN6
FIN7
Gorgon Group
Honeybee
Ke3chang
Kimsuky
Lazarus Group
Leviathan
Machete
Magic Hound
MuddyWater
Patchwork
Putter Panda
Threat Group-3390
Turla

Kill Chain Phases

Installation

Data Sources

Endpoint Detection and Response

   How to Implement

This use case requires a universal forwarder on the Windows endpoints you wish to monitor as well as the Windows add-on configured to send your logs to Splunk. Alternatively, data from endpoint solutions such as Carbon Black can also report registry modifications for this use case.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to start your incident response process for dealing and verify the activities of the process that wrote the registry key.

   Help

Monitor AutoRun Registry Keys Help

Often, attackers add malware to the Windows Autorun registry keys. This allows the malware to execute after a restart of the computer, which enables it to persist across reboots, and potentially delays the execution of the code until after a reboot to make its activities harder to detect. While legitimate applications also write to these keys, it is a good idea to monitor them and investigate anything that appears suspicious.

SPL for Monitor AutoRun Registry Keys

Demo Data

First we load our basic demo data
Then we filter for some of the most common AutoRuns keys that are seen in the wild
Finally we put everything in a table that is easy for analysts to read

Live Data

First we load our basic Windows Registry data and filter for some of the most common AutoRuns keys that are seen in the wild
Finally we put everything in a table that is easy for analysts to read