Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via
regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility
reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as
cmd.exe. When a user is responsible for these actions, the parent of
cmd.exe will likely be
explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.
The sequence of processes that resulted in
reg.exe being started from a shell. That is, a hierarchy that looks like
|Technique||Tactic||Level of Coverage|
|Query Registry||Defense Evasion||Moderate|
|Modify Registry||Persistence, Privilege Escalation||Moderate|
|Registry Run Keys / Startup Folder||Persistence, Privilege Escalation||Moderate|
|Service Registry Permissions Weakness||Persistence, Privilege Escalation||Moderate|
To gain better context, it may be useful to also get information about the cmd process to know its parent. This may be helpful when tuning the analytic to an environment, if this behavior happens frequently. This may also help to rule out instances of users running
reg.exe from within a command prompt that was created from Explorer.
A second version of the analytic does not join back to the parent process, to allow a tighter time frame when actually searching. Instead, it looks for registry changes across a large number of hosts.
processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname) output reg_and_cmd
processes = search Process:Create reg_processes = filter processes where ( exe == "reg.exe" and parent_exe == "cmd.exe" and (command_line == "*add*" OR command_line == "*delete*" OR command_line == "*copy*" OR command_line == "*restore*" OR command_line == "*load*" OR command_line == "*import*") ) reg_processes_counted = count(hostname) as host_count group reg_processes by command_line reg_processes_sorted = sort by host_count output reg_processes_sorted
Test Case 1:
- Configurations: Windows 7
- Description: Execute reg.exe from cmd.exe. Note that the analytic joins back to the grandparent process, which in this case is explorer.exe. The query time window must include the user log on. For example, if you logged in at 8am and tested the analytic at 10am, the query needs to search from 8am to 10am, not just at 10am. Within a command window, run the command.
reg.exe QUERY HKLM\Software\Microsoft
Data Model References