Registry keys can be a very useful method for hunting and detecting malicious activity, but if they are ingested wholesale they can also be one of the noisiest methods of detection. However, if organizations take the time to understand how registry keys can be used to help detect malicious activity, they can help security teams improve their security posture significantly. Join Cyborg Security’s Lee Archinal in his second instalment of our Threat Hunt Deep Dive series “Get to Know Your Logs!”
One of the universal hurdles that organizations face when it comes to cybersecurity is visibility within their own environment. Pair that with often non-technical restrictions on how and what teams can ingest from endpoints, routers, servers, and any other network devices and it is evident that gaps will exist. This doesn’t just affect the security posture of an organization, but it also hinders cybersecurity analysts as well. If you don’t have the appropriate logs to detect and respond to threats, security analysis is going to suffer.
In this series I share my experience on logs that I have used in my past lives as a SOC analyst and threat hunter. Half the battle is knowing what information the logs contain and why they are relevant to the investigation. The other half is creating a business use-case to get these logs ingested into your tools. While this series will not be the magic bullet and get you the logs you want, it will at least tell you how to use them in hunts and what they are telling you.
In this Threat Hunt Deep Dive, we focus on the Living Off the Land Binary (LOTL) Esentutl.exe. Designed for running tasks and operations related to databases and database files, this executable can abuse the NTFS file attribute Alternate Data Streams (ADS). Using different techniques, threat actors can hide files in these streams to accomplish different goals such as tool infiltration and data exfiltration. Esentutl.exe also has the ability to extract the ntds.dit file from a Shadow Copy, which provides the attacker with information related to the Active Directory environment, to include usernames and password hashes. By combining these techniques together, the adversary can infiltrate the network, take what they want, and get keys to the kingdom using one tool.
Welcome to Threat Hunt Deep Dives, Episode 7! Today we are looking at the Registry Key Modification method, one that abuses registry keys by creating or modifying values that some trusted Windows executables look for during their process execution. Join us as we put this method under the microscope.