![]() Figure 2: Granular rule for monitoring Windows Registry objects Filter, Review, and Analyze Registry Events for Unauthorized Activities In addition to this, inclusion/exclusion filters can be added to specify what needs to be monitored and what doesn’t, ensuring minimal load on the CPU. Qualys FIM rules enable users to specify the depth they to want to traverse for real-time scans. This profile is based on the recommendations provided by Microsoft and research based on CIS, DISA benchmarks. ![]() Users can easily import these profiles, assign the profiles to assets and start monitoring them. Qualys FIM’s out-of-the-box monitoring profile includes the important registry objects to detect unauthorized changes to the autoruns, boot sequence, firewalls, and other critical functionalities. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run.HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce.HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx.HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx.The common registry keys modified by the malware are: The Windows registry can be compromised by storing malicious codes in the registry with Autorun capabilities, so that attacks refresh in the background even after a computer reboot.Īs documented by Microsoft, “Run keys are added in the registry so that the payload runs every time the machine starts and every time a new user signs in.” Figure 1: Monitoring Profile for Windows Registry Settings Coverage of Crucial Windows Registry Objects The new “Monitoring Profile for Windows Registry Settings” in Qualys File Integrity Monitoring enables you to track changes in the Windows registry, so you can take proactive steps towards securing your Windows assets. Footprints of an adversary having installed a program or application may also be found in the registry. The registry contains the configuration information for the hardware and software and may also contain information about recently used programs and files. Adversaries may interact with the Windows registry to hide configuration information within registry keys, remove information as a part of cleaning up, or as a part of other techniques to aid in persistence and execution.Īround 80 MITRE techniques/sub-techniques have “Windows Registry” as a data source, indicating that it covers a significant attack surface area. The Importance of Registry Integrity MonitoringĪ tactic that has been growing increasingly common is the use of registry keys to store and hide the next-step code for malware after it has been dropped on a system. It is therefore imperative for organizations to monitor changes in Windows registries as part of their file integrity monitoring program. With Windows registries storing a large number of programs and OS security settings and a large amount of raw data, threat actors have begun to use those registries as a data store for their malicious activity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |