T1012 – Query Registry (Sysmon Detection)

by

Sysmon Alert Details
Alert ID: SYSMON-REGQUERY-1012-7842 Alert Time: 2024-02-25 11:30:22 EST Severity: MEDIUM (68/100) Source: Sysmon (Event ID 1 – Process Creation, Event ID 12-13 – Registry Events) Rule: “Suspicious Registry Queries – Potential Reconnaissance” MITRE ATT&CK: T1012 – Query Registry

Alert Details:

Detection: Multiple registry queries of sensitive keys from suspicious process

Host: FIN-WS-078 (Finance Workstation) User: bturner (Brian Turner, Accountant) Time: 11:25 EST

Registry Queries:

11:25:10 – Query: HKLM\SAM\SAM (attempted) – ACCESS DENIED
11:25:12 – Query: HKLM\SECURITY\SECURITY (attempted) – ACCESS DENIED
11:25:15 – Query: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (success)
11:25:18 – Query: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (success)
11:25:21 – Query: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (success)
11:25:24 – Query: HKCU\Software\Microsoft\Windows\CurrentVersion\Run (success)
11:25:27 – Query: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares (success)
11:25:30 – Query: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (success)
11:25:33 – Query: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (success)
11:25:36 – Query: HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 (success)

Process Details:

Process: C:\Users\bturner\AppData\Local\Temp\reg_scanner.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe

Detection Logic:

Process accessing multiple sensitive registry keys
Attempt to access SAM/SECURITY (privilege escalation indicators)
Queries of autostart locations (persistence discovery)
Process from Temp folder (suspicious)
Pattern matches malware reconnaissance
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed suspicious registry queries
2. Process Analysis
Analyze reg_scanner.exe
CrowdStrike Sandbox
Malware that enumerates registry for autostart, system info
3. Immediate Action
Terminate process
CrowdStrike
Process killed
4. File Deletion
Delete reg_scanner.exe
CrowdStrike Live Response
File removed
5. User Interview
Contact bturner
Teams, Phone
User downloaded “registry cleaner” tool – unaware
6. Host Scan
Full scan for other malware
CrowdStrike
No additional malware found

Jira Incident Report
Ticket: SOC-2024-128 Summary: T1012 – Registry Query Reconnaissance by Malicious Tool Status: RESOLVED Resolution: MALICIOUS – Tool Removed Priority: P2 – MEDIUM Labels: T1012, query-registry, registry-recon, sysmon, malware Components: Endpoint-Security, Malware-Response

INCIDENT ANALYSIS REPORT

1. Initial Context:

Detection Source: Sysmon (Event ID 1, 12-13).
Alert: “Suspicious Registry Queries – Potential Reconnaissance”.
Host: FIN-WS-078 (Finance Department, user bturner).
Process: C:\Users\bturner\AppData\Local\Temp\reg_scanner.exe.
Time: 2024-02-25 11:30 EST.
Technique: MITRE ATT&CK T1012 – Query Registry.

2. Technical Analysis:

Attack Chain:

11:15 – User clicks pop-up ad for “Registry Cleaner”
11:16 – Downloads reg_scanner.exe from malicious site
11:17 – Executes file
11:18-11:25 – Tool queries multiple registry keys
11:25 – Sysmon detects
11:26 – SOC investigates

Registry Queries Performed:

SAM/SECURITY: Attempted privilege escalation info (failed)
Autostart Locations: Run, RunOnce (persistence discovery)
Network Settings: TCP/IP parameters (network info)
Shares: LanmanServer (share discovery)
Winlogon: Credential management settings
Uninstall: Installed software list
Hardware: CPU info (system discovery)

Malware Analysis:

Name: reg_scanner.exe (Registry Optimizer scam)
SHA256: a1b2c3d4…
Capabilities:
Enumerates registry for system information
Displays fake “issues found” to scare user
Prompts user to pay for “fix”
No actual malware payload (adware/scareware)

User Intent:

User thought tool would speed up computer
Unaware of risks
No data exfiltrated

3. Investigation Findings:

Timeline:

11:15 – User clicks ad
11:16-11:17 – Download and execution
11:18-11:25 – Registry queries
11:25 – Sysmon alert
11:26 – SOC investigates
11:28 – Process terminated
11:29 – File deleted

Indicators of Compromise (IoCs):

Files:

– C:\Users\bturner\AppData\Local\Temp\reg_scanner.exe (SHA256: a1b2c3d4…)

Registry:

– Queries of SAM, SECURITY, Run, RunOnce, Uninstall, etc.

Network:

– No C2 (adware only)

4. Containment Actions:

Immediate Actions:

Terminated reg_scanner.exe.
Deleted executable.
Full scan (clean).
No isolation needed (non-persistent).

User Remediation:

User counseled on downloading untrusted software.
Ad-blocker enabled in browser.

5. Root Cause Analysis:

Primary Cause: User clicked on malicious ad and downloaded scareware.
Contributing Factors:
No application control blocking unknown executables.
User unaware of adware risks.

6. Business Impact:

Operational Impact: Finance user offline for 30 minutes.
Data Exposure: None (no exfiltration).

7. Remediation & Prevention:

Completed Actions:

Malware removed.
User educated.
Ad-blocker enabled.

Technical Controls Enhanced:

Created alert for registry queries of sensitive keys.
Enhanced application control policies.

8. Conclusion:

A user downloaded a fake registry cleaner that performed extensive registry reconnaissance, including attempts to access SAM. Sysmon detected the anomalous registry queries, enabling rapid removal. The tool was adware, not a major threat, but highlighted user awareness gaps.

Closure Rationale: Malware removed; user educated; registry monitoring enhanced.

Analyst: [Walter White], SOC Analyst Date: 2024-02-25 12:30 EST

Leave a Comment