1{
2  "author": [
3    "Elastic"
4  ],
5  "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.",
6  "from": "now-9m",
7  "index": [
8    "logs-endpoint.events.*",
9    "winlogbeat-*",
10    "logs-windows.*"
11  ],
12  "language": "eql",
13  "license": "Elastic License v2",
14  "name": "Persistence via WMI Standard Registry Provider",
15  "query": "registry where \n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n                  \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n                  \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n                  \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\", \n                  \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n                  )\n",
16  "references": [
17    "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov"
18  ],
19  "risk_score": 73,
20  "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6",
21  "severity": "high",
22  "tags": [
23    "Elastic",
24    "Host",
25    "Windows",
26    "Threat Detection",
27    "Persistence"
28  ],
29  "threat": [
30    {
31      "framework": "MITRE ATT&CK",
32      "tactic": {
33        "id": "TA0003",
34        "name": "Persistence",
35        "reference": "https://attack.mitre.org/tactics/TA0003/"
36      },
37      "technique": [
38        {
39          "id": "T1547",
40          "name": "Boot or Logon Autostart Execution",
41          "reference": "https://attack.mitre.org/techniques/T1547/",
42          "subtechnique": [
43            {
44              "id": "T1547.001",
45              "name": "Registry Run Keys / Startup Folder",
46              "reference": "https://attack.mitre.org/techniques/T1547/001/"
47            }
48          ]
49        },
50        {
51          "id": "T1543",
52          "name": "Create or Modify System Process",
53          "reference": "https://attack.mitre.org/techniques/T1543/",
54          "subtechnique": [
55            {
56              "id": "T1543.003",
57              "name": "Windows Service",
58              "reference": "https://attack.mitre.org/techniques/T1543/003/"
59            }
60          ]
61        }
62      ]
63    },
64    {
65      "framework": "MITRE ATT&CK",
66      "tactic": {
67        "id": "TA0002",
68        "name": "Execution",
69        "reference": "https://attack.mitre.org/tactics/TA0002/"
70      },
71      "technique": [
72        {
73          "id": "T1047",
74          "name": "Windows Management Instrumentation",
75          "reference": "https://attack.mitre.org/techniques/T1047/"
76        }
77      ]
78    }
79  ],
80  "timestamp_override": "event.ingested",
81  "type": "eql",
82  "version": 1
83}
84