From Registry With Love: Malware Registry Abuses

The Windows Registry is one of the most powerful Windows operating system features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware or adversaries abuse this hierarchical database to perform malicious tasks on a victim host or environment.  Over the last 2 years, the Splunk Threat Research Team has analyzed and reverse engineered some of the most prevalent and successful malware families. During this process we learned about the many ways the Windows Registry can be abused for malicious purposes.

We will share some of these findings, dive deep into each tactic and show how the registry plays a key role at each stage of an attack. We will also describe the detections developed by the Splunk Threat Research Team (STRT) using the Splunk Sysmon TA and the Splunk Common Information Model (CIM). This article may help security analysts or digital forensic analysts identify evidence of adversary tradecraft that abuses the Windows Registry. 

This blog describes common Windows Registry abuses leveraged by current and relevant malware families in the wild across MITRE ATT&CK tactics and techniques. We saw how flexible, rich and powerful the modification of Registry keys are in terms of attack and, in this article, we covered 8 of 14 MITRE ATT&CK tactics.

Why Should You Care?

Successfully identifying malware continues to be a challenging and difficult task for security teams. Signatures and heuristics are constantly bypassed by malware authors in a cat-and-mouse race. The Splunk Threat Research Team recommends complementing anti-malware prevention controls with a detection approach to keep your networks clean. As we have seen in this blog post, malware authors commonly abuse the Windows Registry and this introduces a great detection opportunity that is difficult to bypass. Cyber defenders need to design and deploy effective monitoring capabilities that allow them to detect and respond to suspicious registry creation, modification and deletion.

Windows Registry Structure

The Windows Registry contains two basic elements, keys and values. Registry keys can be considered an object container or folder that may contain subkeys and values, while the Registry values are the non-container objects similar to files. The screenshot below shows the structural part of the registry. Understanding the structure will help analysts figure out what modifications have been made and what might be the effect of those Registry changes.

Discovery

The Registry can store valuable information about the operating system, specific applications or settings that may be used by adversaries to stage future operations. Typically, host level information is stored in the HKEY_LOCAL_MACHINE hive. Within this hive it is possible to identify all software installed and operating system features enabled. As an example, many objects that may be enabled via Windows Group Policy are turned on/off within this hive (among others). In addition to host and software information, this hive also contains the SAM and Security keys, related to credential access, which we will showcase later. To simulate different adversary tradecraft, check out Atomic Red Team T1012 which describes the many ways to gather host and software from the registry.   

Late last year we blogged about Remcos RAT, which is a common remote access trojan with many features built in for an adversary. Remcos at the time was being utilized by FIN7 to maintain access. Within that frame, the adversary was utilizing the registry to identify product information as seen in Figure 1.

^{Figure 1}

Similarly, we analyzed Trickbot mid 2021. Trickbot is a popular crimeware carrier that allows malicious actors to deliver multiple types of payloads. Figure 2 shows how the “Systeminfo64.dll” module of Trickbot malware collects all installed applications in the compromised host by querying the “uninstall” Registry.

^{Figure 2}

The registry is a treasure trove of host information that an adversary may collect data from and analyze. As showcased, Trickbot and Remcos, among many, build in reconnaissance techniques to help the operator decide next steps. Think of it as a way for the adversary to go back and craft their next move for the next phase.

Persistence And Privilege Escalation

Typically after executing discovery techniques,  an adversary may look to persist or perform privilege escalation. This may occur in many ways, but within the registry there is a large trove of registry keys to persist or elevate privileges. 

There are many common known values that allow an adversary to run their payload upon boot. In fact, we have a query that looks for many of them here:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`

Non-malicious software may use these keys for normal operation, however a new value should be reviewed based on prevalence, the process and the account performing the behavior. 

Registry Run Keys

A popular registry key leveraged for persistence is the “Run” Registry entry. The Run key may allow malicious files to automatically execute upon reboot of the compromised system. Figure 3 below shows how malicious.exe creates a reg run entry to persist on a targeted host.

^{Figure 3}

Boot or Logon Autostart Execution

Another common technique is to create or modify existing services to gain persistence and perform privilege escalation. Figure 3.1 below is the event simulated with the Atomic Red Team technique T1574.011, which simulates a threat actor looking for services with weak permissions in the Windows Registry. If such services exist, the actor can modify the file path to point to a malicious binary and the next time the service starts, malicious code will be executed. An example is shown below.

^{Figure 3.1}

Built-in Local Administrator Accounts

Enabling the built-in local Administrator account, which is disabled by default, is another technique abused by adversaries to achieve persistence. This technique was seen in “BlackMatter Ransomware” (see the reference blog from Trend Micro) to automatically logon to the compromised host after triggering safe mode boot. Below is the short batch script to simulate this technique. Atomic Red Team T1562.001 also has several ways to simulate it. 

reg  add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon  /t REG_SZ /d 1

reg  add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d administrator /f

Additionally,  adversaries leverage application Shimming, the Printer Registry, Safeboot Registry, Active Setup, logon script and many more. Below is a list of analytics the STRT has developed across the spectrum of persistence and privilege escalation abuse in the Windows Registry.

Defense Evasion

From discovery, persistence and privilege escalation, an adversary will eventually need to evade other controls in place. The Windows Registry plays a role here as most security products and applications create a Registry entry as part of their installation. Windows itself is riddled with different entries that  adversaries abuse to evade detections, bypass User Account Control (UAC) and impair security products.

User Account Control Bypass

One example is bypassing User Account Control to elevate process privileges or execute elevated COM objects without prompting the user through the UAC notification message box. Figure 4 is a code snippet of how Remcos RAT attempts to disable the UAC through the registry by checking and disabling the EnableLUA value.

 _{Figure 4}

Adversaries may also add an entry to eventvwr.exe and fodhelper.exe registry keys to bypass UAC. These two Windows applications have a high integrity level (admin rights) process that can ignore UAC. Figure 5.1 and Figure 5.2 show how the IcedID malware bypasses UAC using this technique. By overwriting the executable path on the registry values of these two registry keys, malicious code can bypass UAC and run in high integrity. Simulating this technique is available in Atomic Red Team T1548.002.

^{Figure 5.1}

^{Figure 5.2}

Aside from UAC bypasses, malware also commonly will try to disable security tools like ETW, security event logs and the Windows Defender Antivirus. Figure 6 is a screenshot of the batch script identified by Remcos loaders that evade or disable Windows Defender Antivirus features, disable system restore point and many other registry values.

^{Figure 6}

Adversaries may also abuse the Registry capability to disable or modify group policy features, Windows notification or even disable common Windows applications like cmd.exe, Task Manager and Regedit to make it difficult for analysts and forensic responders to react to the attack. Below is a simple batch script that disables cmd, TaskMgr and Registry tool.

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f

Other techniques adversaries may leverage to perform Defense Evasion include disabling a plethora of security controls security teams rely on like AMSI, specific Windows Defender features, SystemRestore, among many others. Below is a list of analytics the STRT has developed across the spectrum of defense evasion techniques that abuse the Windows Registry.

Execution

Also within the Registry is the ability to bypass restrictions. For example, in PowerShell, to allow the execution of scripts on a host, an adversary may bypass the execution policy of PowerShell by modifying or adding an execution policy registry entry for PowerShell similar to  the simple command below. 

reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell /v ExecutionPolicy /d Unrestricted /f
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell /v ExecutionPolicy /d Bypass /f

Image File Execution

Hijacking the image file execution options (IFEO) debugger registry is another key abused by also being abused by threat actors. IFEOs enable a developer to attach a debugger to an application. When a targeted process is created, a debugger present in the IFEO registry will be launched too.

Below is a simple command to execute this technique.

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\C:\Windows\System32\calc.exe" /v Debugger /d "C:\windows\system32\cmd.exe"

Fileless Execution Through Registry 

Fileless malware typically describes a threat that does not rely on files to operate, such as a backdoor that lives only in the memory. Adversaries can abuse the Windows Registry to install fileless malware on victim systems. One example is the execution of a malicious script by the Kovter malware leveraging registry entries. By using this technique, attackers attempt to make their malicious code bypass common security controls like anti malware. 

Below is an example of a .reg file that executes a Javascript script.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atomic"="\"mshta\" \"javascript:a=new ActiveXObject(\"WScript.Shell\");a.Run(\"calc.exe\",0,true);close();\""

Lateral Movement

The Windows Registry can also be a vector abused by adversaries during lateral movement. For example, different campaigns over the year that we've triaged abuse the registry to modify inbound traffic ports or enable terminal services. The DFIR Report blogged about how the Xmrig Coinminer malware changes the port number used by the remote desktop protocol to allow adversaries to move laterally with minimal noise in normal RDP port monitoring (default port 3389). Below is a simple PowerShell command that may be used to simulate the technique also available in Atomic Red Team T1021.001

$portvalue = 3390
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal 
Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue 

Collection

The Registry may also be a source of sensitive information that may be collected and  exfiltrated or may be used by an adversary to continue their long term operation against the organization. During triage of different IcedID samples the below list of keys were collected related to Outlook information that included user profile, email signatures and browser password storage. This information can be used by the Threat Actors or adversaries to their phishing email campaigns to compromise specific targets or networks. 

• HKCU\Software\Microsoft\Office\%u.0\Outlook\Profiles
• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
• HKCU\Software\Microsoft\ActiveSync\Partners
• HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Credential Access

Since everything else resides in the registry, so do credentials. An adversary may dump specific keys to escalate privileges on an endpoint. The Security Account Manager (SAM) database contains local accounts for the host. Once this database gets to the hand of the threat actors, they can extract password hashes for high privileged users and attempt to crack them offline. Below is a script that will simulate this behavior. We also recommend the Atomic Red Team T1003.002 for testing this attack.

C:\Windows\system32\cmd.exe /c "reg save HKLM\sam %%temp%%\sam & reg save HKLM\system %%temp%%\system & reg save HKLM\security %%temp%%\security"

Impact

A commonality over the last 2 years is registry keys that may be used by ransomware operators to modify the wallpaper or disable crash dumps. Adversaries use this as a way to notify the end user that ransomware has been installed. Figure 7 highlights the REvil ransomware campaign abusing such techniques.

^{Figure 7}

Other techniques adversaries may leverage to perform this tactic by stopping services, trigger system shutdown/reboot, wiping registry hives or disabling crashdump like what hermetic wiper malware did.

Automating with SOAR Playbooks

All of the previously listed detections create entries in the Splunk Enterprise Security risk index by default, and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The following community Splunk SOAR playbooks can also be used in conjunction with some of the previously described analytics:

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections available via push update.

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the following for their contributions to this post: Teoderick Contrera, Michael Haag, Mauricio Velazco, Rod Soto, Jose Hernandez, Patrick Barreiss, Lou Stella, Bhavin Patel and Eric McGinnis.