CAR-2014-11-005: Remote Registry
An adversary can remotely manipulate the registry of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a Lateral Movement technique, discover the configuration of a host, achieve Persistence, or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to remotely enable the RemoteRegistry service, which can be detected with CAR-2014-03-005.
Remote access to the registry can be achieved via
- Windows API function RegConnectRegistry
- command line via
reg.exe - graphically via
regedit.exe
All of these behaviors call into the Windows API, which uses the NamedPipe WINREG over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Modify Registry | N/A | Defense Evasion | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-IPCTA | IPC Traffic Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| flow | message | dest_port |
| flow | message | proto_info |
Implementations
Pseudocode
flows = search Flow:Message
winreg = filter flows where (dest_port == 445 and proto_info.pipe == "WINREG")
winreg_modify = filter flows where (proto_info.function == "Create*" or proto_info.function == "SetValue*")
output winreg_modify