Working with registry
We want to monitor changes made to registry value AppInit_DLLs that allows automatic loading of dynamic-link library (DLL) to certain processes on the system. A related registry value with similar functionality is AppCertDlls. Whole registry value paths are:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SYSTEM\CurrentControlSet\Control\SESSION MANAGER\ AppCertDlls
Rule
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>AppInit DLL Registry Creation [A0101]</name> <category>Persistence</category> <os>Windows</os> <severity>80</severity> <mitreattackid>T1218.011</mitreattackid> <explanation>AppInit DLL is a mechanism that allows an arbitrary list of DLLs to be loaded into each user-mode process on the system. DLLs that are specified in the `AppInit_DLLs` value in the Registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into (almost) every process that loads user32.dll. The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled.</explanation> <benignCauses>AppInit_DLLs are rarely used by specific software, such as graphic card support dlls or virtual machine software.</benignCauses> <maliciousCauses>AppInit_DLLs are sometimes used by malware to achieve persistence on the target machine.</maliciousCauses> <recommendedActions>1. Evaluate if the change to the Applnit_DLLs correlates with known software, a software update, patch cycles, etc. 2. Evaluate the process/module that made the change. 3. Check for presence of new/non-standard DLLs on the computer. 4. If a suspicious process/module or DLL is detected, start the incident response process (for example, disconnect the computer from the internet, update your antivirus product and scan the computer for malware, send samples for analysis, block modules, etc.).</recommendedActions> </description> <definition> <operations> <operation type="RegSetValue"> <operator type="OR"> <operator type="AND"> <operator type="OR"> <condition component="RegistryItem" property="Key" condition="starts" value="HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"/> <condition component="RegistryItem" property="Key" condition="starts" value="HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows"/> </operator> <condition component="RegistryItem" property="Key" condition="ends" value="Appinit_Dlls"/> </operator> <operator type="AND"> <condition component="RegistryItem" property="Key" condition="starts" value="HKLM\SYSTEM\ControlSet"/> <condition component="RegistryItem" property="Key" condition="ends" value="Control\SESSION MANAGER\AppCertDlls"/> </operator> </operator> </operation> </operations> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |
Things to notice in the rule example above:
1.Use of shortened HKEY values instead of full ones because full HKEY values are not matched.
2.Inclusion of Wow6432Node for AppInit_DLLs. This and many other values are duplicated in this registry key for x86 support on x64 systems. We also need to monitor this value.
3.Matching registry value via ends condition. Firstly, we decided to match the registry value name "AppInit_DLLs" and check if the path to the registry value is the wanted one. This approach should theoretically lower the server's workload because of the short-circuit evaluation of conditions. Using the whole registry value path for matching ("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs") is also acceptable.
4.CurrentControlSet registry value is an alternating symbolic link that is dynamically evaluated by the operating system and is pointing to ControlSet%number%. As Enterprise Inspector receives a registry path with ControlSet%number% value, we split the registry value path into two components.