1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", 6 "from": "now-9m", 7 "index": [ 8 "logs-endpoint.events.*", 9 "winlogbeat-*", 10 "logs-windows.*" 11 ], 12 "language": "eql", 13 "license": "Elastic License v2", 14 "name": "Persistence via WMI Standard Registry Provider", 15 "query": "registry where \n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\", \n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", 16 "references": [ 17 "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov" 18 ], 19 "risk_score": 73, 20 "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", 21 "severity": "high", 22 "tags": [ 23 "Elastic", 24 "Host", 25 "Windows", 26 "Threat Detection", 27 "Persistence" 28 ], 29 "threat": [ 30 { 31 "framework": "MITRE ATT&CK", 32 "tactic": { 33 "id": "TA0003", 34 "name": "Persistence", 35 "reference": "https://attack.mitre.org/tactics/TA0003/" 36 }, 37 "technique": [ 38 { 39 "id": "T1547", 40 "name": "Boot or Logon Autostart Execution", 41 "reference": "https://attack.mitre.org/techniques/T1547/", 42 "subtechnique": [ 43 { 44 "id": "T1547.001", 45 "name": "Registry Run Keys / Startup Folder", 46 "reference": "https://attack.mitre.org/techniques/T1547/001/" 47 } 48 ] 49 }, 50 { 51 "id": "T1543", 52 "name": "Create or Modify System Process", 53 "reference": "https://attack.mitre.org/techniques/T1543/", 54 "subtechnique": [ 55 { 56 "id": "T1543.003", 57 "name": "Windows Service", 58 "reference": "https://attack.mitre.org/techniques/T1543/003/" 59 } 60 ] 61 } 62 ] 63 }, 64 { 65 "framework": "MITRE ATT&CK", 66 "tactic": { 67 "id": "TA0002", 68 "name": "Execution", 69 "reference": "https://attack.mitre.org/tactics/TA0002/" 70 }, 71 "technique": [ 72 { 73 "id": "T1047", 74 "name": "Windows Management Instrumentation", 75 "reference": "https://attack.mitre.org/techniques/T1047/" 76 } 77 ] 78 } 79 ], 80 "timestamp_override": "event.ingested", 81 "type": "eql", 82 "version": 1 83} 84