Find sigma rule

Attack: Modify Registry

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system’s SMB/Windows Admin Shares for RPC communication.

MITRE

Tactic

defense-evasion

technique

T1112

Test : BlackByte Ransomware Registry Changes - Powershell

OS

windows

Description:

This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell. See “Preparing to Worm” section: https://redcanary.com/blog/blackbyte-ransomware/ The steps are as follows:

1. Elevate Local Privilege by disabling UAC Remote Restrictions
2. Enable OS to share network connections between different privilege levels
3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths

The registry keys and their respective values will be created upon successful execution.

Executor

powershell

Sigma Rule

registry_set_blackbyte_ransomware.yml (id: 83314318-052a-4c90-a1ad-660ece38d276)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test