Transcript
Knob360. To understand why Registry Entry failures are concerning, let's first understand the importance of the Registry. The Registry is a critical component of the Windows operating system and it serves as a database containing configuration settings for both the system and applications on the device. A Registry Entry is a record within the Registry that tells the computer something specific, like how to open a program or where to find a program. It can provide information on user profiles and on components, drivers and services. The Registry allows for centralized management of system and application settings and streamlines administrative tasks. While admins often make legitimate registry changes for tasks like troubleshooting, attackers can also leverage the Registry for malicious purposes. They can tamper with Registry entries and destabilize the entire operating system. They can also gain control over user accounts, services or system components. Now here's something to remember. While unauthorized modifications to the Registry are extremely concerning, we also need to pay attention to failed attempts to modify the Registry. This is because a series of failed modification attempts indicates that an unauthorized individual without the right permissions may be trying to target critical Registry keys to modify Registry entries. Threat actors target Registries for multiple reasons. One major reason is to maintain access. An attacker may repeatedly attempt to change Registry settings to ensure persistent access to a system even after a reboot. The Registry can also be used as a communication channel for a command and control server. Malware might use Registry entries to store stolen data temporarily before sending it to the attacker's CMC server. The third reason is that frequent changes to the Registry can make it difficult for security tools to identify malicious activity. Ultimately, modifying Registry entries can sabotage system services entirely. This is why tracking all Registry changes, including failed attempts to modify the Registry, is imperative for any security deal. Let's see how attackers can make their way to the Registry. The attacker can gain initial access to the network by brute-forcing their way in or using social engineering attacks against unsuspecting employees. The vulnerabilities and unpatched systems can also grant network access to the attacker. In order to gain access to the Registry, the attacker needs elevated privileges. They may gain elevated privileges by compromising privileged user accounts and vulnerability exploits. The attacker can then identify Registry keys that store critical information on users' configurations and more. The attacker can then go ahead and create, delete, or modify the Registry to store their goals. Let's now see how Log360 detects this attack. Let's navigate to the Log360 interface to understand how attacks on the Registry can be detected. Log360 is a unified SIEM solution that offers prepackaged threat detection capabilities that help detect a range of commonly occurring threats. Once you log into the solution, you can navigate to the SIEM module or the Event Log Analyzer module and then to the Correlation tab at the top. On the left, you can view all predefined correlation rules. The search bar, enter Registry and this pulls up the Repeated Registry Entry Failures report. This shows you all the failed attempts to create a Registry entry on the network. We will come back to examine this information in more detail in just a moment. Let's first understand how Log360 detected this threat. Log360 comes with predefined rules which look for a set of events that occur sequentially and indicate a possible threat. To understand how this rule is configured, navigate to Manage and look for the name of the rule in the search bar. This pulls up the Pre-Configured Detection Rule to detect Registry Entry Failures. By clicking on Copy Correlation Rule, you can view how this rule is configured. As you can see, the rule is triggered when 3 or more Registry Entry Failures on the SIEM device takes place within 10 minutes. Since a legitimate administrator possesses valid credentials to make Registry changes, it would not result in multiple failures. So when this rule is triggered, there's a high likelihood that an unauthorized individual might be brute-forcing their way into the Registry. We can now return to the Pre-Built Report in Log360. Here you can view on instances of Registry Entry Failures. Clicking on the event time 9, allows you to view the series of entry creation attempts. You can click on Details to view other information like Security ID and Logon ID. The SID can be used to identify the user account involved in the failed Registry entries. The SID can also help in determining if the user is part of any privileged groups, which could be relevant for understanding the context of the failed Registry entries. The Logon ID helps in identifying the specific logout session associated with the failed Registry entries. This is valuable for pinpointing the exact session during which the failures occurred. Now here are some next steps to take if you notice failed Registry entry attempts. You can proactively look for old Registry modifications by using Log360's pre-defined reports and then investigate if these modifications were needed to it. This information can be found under the report category called Registry Changes. Apart from Registry modifications, you can also see information about other Registry related activity like creations, deletions, accesses and more. As a crucial next step, you can also examine the system for any signs of compromise, such as backdoors, malware or unauthorized access. You can use Log360's SOAR capabilities to disable computers whose Registries were tampered with. Furthermore, by patching all your software on time, you can reduce the chances of attackers gaining access to the network itself. User education and safe cyber practices will also definitely reduce the odds of any malware entering your network. Thank you for watching this video. For further queries, you can send us an email at log360-support at manageengine.com. You can also download a free version of our solution at the link provided. With no cost and zero risk, you can try Log360 in your environment for 30 days.
