Каталоги
- Сертификаты СЗИ - Государственный реестр сертифицированных средств защиты информации опубликованный Федеральной службой по техническому и экспортному контролю, может быть использован для контроля актуальности используемых СЗИ в организации.
- CVE уязвимости - общедоступная публичная база уязвимостей Common Vulnerabilities and Exposures (CVE). Миссия программы CVE заключается в выявлении, определении и каталогизации публично раскрываемых уязвимостей в сфере кибербезопасности. Для каждой уязвимости в каталоге существует одна запись CVE. Уязвимости обнаруживаются, затем присваиваются и публикуются организациями по всему миру, которые сотрудничают с программой CVE. Партнеры публикуют записи CVE для единообразного описания уязвимостей. Специалисты в области информационных технологий и кибербезопасности используют записи CVE, чтобы убедиться, что они обсуждают одну и ту же проблему, и координировать свои усилия по определению приоритетности и устранению уязвимостей.
- БДУ ФСТЭК уязвимости - раздел Уязвимости Банка данных уязвимостей опубликованная Федеральной службой по техническому и экспортному контролю совместно с Государственным научно-исследовательским испытательным институтом проблем технической защиты информации. Одной из целей создания банка данных угроз безопасности информации является объединение специалистов в области информационной безопасности для решения задач повышения защищенности информационных систем.
- НКЦКИ уязвимости - общедоступная публичная база уязвимостей Национального координационного центра по компьютерным инцидентам (НКЦКИ), обеспечивающего координацию деятельности субъектов КИИ по обнаружению, предупреждению, ликвидации последствий компьютерных атак и реагированию на компьютерные инциденты.
- MITRE ATT&CK – Adversarial Tactics, Techniques & Common Knowledge – Тактики, техники и общеизвестные знания о злоумышленниках. Это основанная на реальных наблюдениях база знаний компании Mitre, содержащая описание тактик, приемов и методов, используемых киберпреступниками. База создана в 2013 году и регулярно обновляется, цель – составление структурированной матрицы используемых киберпреступниками приемов, чтобы упростить задачу реагирования на киберинциденты.
- БДУ ФСТЭК и Новая БДУ ФСТЭК – раздел Угрозы Банка данных угроз, опубликованный в 2015 году Федеральной службой по техническому и экспортному контролю и Государственным научно-исследовательским испытательным институтом проблем технической защиты информации, обязателен при моделировании угроз при построении систем защиты персональных данных, критической информационной инфраструктуры, государственных информационных систем.
CVE, БДУ ФСТЭК и НКЦКИ
Интерфейс каталогов идентичен и содержит следующие блоки:
- Метрики:
- Найденные уязвимости – отображает количество найденных в отчетах от сканеров уязвимостей которые связаны с уязвимостями из каталога, при нажатии на виджет перенаправляет в модуль Технические уязвимости с установленным фильтром по названию каталога (тип фильтра Группа уязвимостей);
- Уязвимые хосты – отображает количество хостов на которых обнаружены уязвимости связанные с уязвимостями из каталога, при нажатии на виджет перенаправляет в модуль Технические уязвимости с установленным фильтром по названию каталога (тип фильтра Группа уязвимостей).
- Табличную часть Каталог уязвимостей:
- Фильтр по полю Идентификатор - особенностью данного фильтра является автоматический разбор текста с последующим извлечением из текста идентификаторов. Для этого необходимо вставить произвольный текст с идентификаторами в поле и добавить в фильтр через кнопку плюс;
- Табличную часть с полями для каталогов CVE и БДУ ФСТЭК:
- Идентификатор - id уязвимости в базе уязвимостей;
- Описание - текстовое описание уязвимости;
- Обнаружено - флаг, данный статус отображается если уязвимость обнаружена в отчетах о сканировании;
- CVSS - числовая оценка уязвимости согласно источнику, с указанием даты выявления уязвимости экспертами, оценка отображается цветом согласно оценке CVSS 0.1 – 3.9 Low Зеленый,
4.0 – 6.9 Medium Желтый, 7.0 – 8.9 High Оранжевый, 9.0 – 10.0 Critical Красный.
- Табличную часть с полями для каталогов CVE :
- Дата бюллетеня - информация о дате публикации бюллетеня содержащего уязвимости;
- Идентификатор - id уязвимости в базе уязвимостей;
- Информация - текстовое описание уязвимости;
- Вектор атаки - локальный или сетевой вектор атаки;
- Обнаружено - флаг, данный статус отображается если уязвимость обнаружена в отчетах о сканировании;
- Наличие обновления - - флаг, данный статус отображается если база уязвимостей содержит информацию о наличии обновлений от производителя уязвимого ПО;
- Дата выявления - даты выявления уязвимости экспертами.
- Чекбокс «Только обнаруженные уязвимости» - устанавливает фильтр на табличную часть для отображения только обнаруженные уязвимости.
- Функционал для экспорта всех уязвимостей каталога.
- Для каталога добавляется функционал Варианты отображения:
- Бюллетени - изменяет отображение табличной части на реестр бюллетеней, отображает общее количество уязвимостей в бюллетени в поле Уязвимостей в бюллетени и статус по обнаружению в поле Обнаружено - данный статус отображается если хотя бы одна уязвимость из бюллетеня обнаружена в инфраструктуре.
- Уязвимости.
MITRE ATT&CK, БДУ ФСТЭК, Новая БДУ ФСТЭК
Каждый из указанных каталогов сформирован по собственной схеме данных, которая не соответствует подходу оценки риска, используемому в сервисе. Но в основе своей указанные базы описывают все те же риски информационной безопасности, каждый под своим углом. Поэтому они добавлены в сервис и как отдельные компоненты и как основа для создания рисков, угроз или уязвимостей.
Каталоги могут использоваться в сервисе с целью:
- Облегчения процесса формирования рисков, угроз и уязвимостей;
- Обогащения информации по рискам (угрозам, уязвимостям) созданным в сервисе.
- Взгляда на компанию и оценку рисков через публичные каталоги угроз.
- Уязвимости могут быть связаны с угрозами БДУ ФСТЭК, техниками ATT&CK и способами реализации Новой БДУ ФСТЭК.
- Угрозы могут быть связаны с угрозами БДУ ФСТЭК, техниками ATT&CK, угрозами и последствиями Новой БДУ ФСТЭК.
- Риски могут быть связаны с угрозами БДУ ФСТЭК, техниками ATT&CK, угрозами, способами реализации и последствиями Новой БДУ ФСТЭК.
Для рисков, угроз и уязвимостей из базы Community связи с каталогами угроз уже установлены.
Связь с каталогом угроз может быть прямой или косвенной. Например, если уязвимость связана с угрозой из БДУ ФСТЭК то и все риски, в составе которых есть данная уязвимость будут автоматически связаны с угрозой из БДУ ФСТЭК.
Каталог БДУ ФСТЭК - это реестр рисков от банка данных угроз безопасности информации ФСТЭК России.
Каждая угроза содержит описание, рекомендации к каким типам активов может быть применена эта угроза, классификация по свойствам информации и вероятные источники угрозы. Дополнительно в блоке Связанные риски указаны связанные риски, а в блоке Каталоги указываются связи с записями из других каталогов.
Каталог Новая БДУ ФСТЭК от банка данных угроз безопасности информации ФСТЭК России содержит:
- матрицу Способы реализации (возникновения угроз) - каждая ячейка которых содержит описание поверхности атаки: группу способов, уровень возможностей нарушителя, возможные реализуемые угрозы, компоненты объектов воздействия, возможные меры защиты;
- Негативные последствия - перечень негативных последствий в классификации ФСТЭК в виде кода и описания;
- Угрозы - реестр угроз с описанием, каждая угроза содержит возможные объекты воздействия и возможные способы реализации угроз;
- Объекты - перечень объектов последствий с описанием и компонентами которые могут входить в состав объекта;
- Компоненты - перечень компонентов объектов воздействия с указанием объектов воздействия на которых они могут располагаться;
- Нарушители - уровни возможностей нарушителей классифицированные по возможностям и компетенции;
- Меры защиты - в терминологии SECURITM это список требований выполнение которых сокращает возможности нарушителя.
- Матрица - содержит тактики и техники злоумышленника, позволяет на основании тактики или техники создать риск или уязвимость, в матрице указаны связи с рисками в базе Community и с рисками в базе команды;
- Тактики - направления действия нарушителя на том или ином этапе cyberkillchane;
- Техники - конкретные действия нарушителя для достижения цели на конкретном шаге cyberkillchane;
- Контрмеры - в терминологии SECURITM это список требований выполнение которых сокращает возможности нарушителя;
- Преступные группы - описание APT группировок и их особенности и модель поведения;
- Инструменты - ПО используемое нарушителями для вредоносного воздействия.
Сертификаты СЗИ
- Имеющиеся СЗИ - отображает количество активов у которых заполнено поле Номер сертификата СЗИ;
- Скоро будут просрочены - отображает количество активов у которых срок действия сертификата меньше 90 календарных дней;
- Просроченные сертификаты - отображает количество активов у которых срок действия сертификата уже истек;
- Истекшая поддержка - отображает количество активов у которых срок действия сертификата уже истек.
- Номер сертификата;
- Дата внесения в реестр;
- Срок действия сертификата;
- Срок окончания тех. поддержки;
- Наименование средства (шифр);
- Схема сертификации;
- Испытательная лаборатория;
- Орган по сертификации;
- Заявитель;
- Наименования документов соответствия;
- Реквизиты заявителя.
Query Registry
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Procedure Examples |
|
| Name | Description |
|---|---|
| SynAck |
SynAck enumerates Registry keys associated with event logs.(Citation: SecureList SynAck Doppelgänging May 2018) |
| Bumblebee |
Bumblebee can check the Registry for specific keys.(Citation: Medium Ali Salem Bumblebee April 2022) |
| Proxysvc |
Proxysvc gathers product names from the Registry key: |
| Stuxnet |
Stuxnet searches the Registry for indicators of security programs.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
| POWRUNER |
POWRUNER may query the Registry by running |
| SILENTTRINITY |
SILENTTRINITY can use the `GetRegValue` function to check Registry keys within `HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated` and `HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated`. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| PowerSploit |
PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
| Ursnif |
Ursnif has used Reg to query the Registry for installed programs.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro BKDR_URSNIF.SM) |
| POWERSOURCE |
POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.(Citation: Cisco DNSMessenger March 2017) |
| Zeus Panda |
Zeus Panda checks for the existence of a Registry key and if it contains certain values.(Citation: GDATA Zeus Panda June 2017) |
| Bankshot |
Bankshot searches for certain Registry keys to be configured before executing the payload.(Citation: US-CERT Bankshot Dec 2017) |
| Brave Prince |
Brave Prince gathers information about the Registry.(Citation: McAfee Gold Dragon) |
| TinyTurla |
TinyTurla can query the Registry for its configuration information.(Citation: Talos TinyTurla September 2021) |
| Crimson |
Crimson can check the Registry for the presence of |
| TEARDROP |
TEARDROP checked that |
| DUSTTRAP |
DUSTTRAP can enumerate Registry items.(Citation: Google Cloud APT41 2024) |
| PcShare |
PcShare can search the registry files of a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| Woody RAT |
Woody RAT can search registry keys to identify antivirus programs on an compromised host.(Citation: MalwareBytes WoodyRAT Aug 2022) |
| Mafalda |
Mafalda can enumerate Registry keys with all subkeys and values.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| HOPLIGHT |
A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key |
| WastedLocker |
WastedLocker checks for specific registry keys related to the |
| InvisiMole |
InvisiMole can enumerate Registry values, keys, and data.(Citation: ESET InvisiMole June 2018) |
| Volgmer |
Volgmer checks the system for certain Registry keys.(Citation: US-CERT Volgmer 2 Nov 2017) |
| TRANSLATEXT |
TRANSLATEXT has queried the following registry key to check for installed Chrome extensions: ` HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist `.(Citation: Zscaler Kimsuky TRANSLATEXT) |
| FatDuke |
FatDuke can get user agent strings for the default browser from |
| Lucifer |
Lucifer can check for existing stratum cryptomining information in |
| Rising Sun |
Rising Sun has identified the OS product name from a compromised host by searching the registry for `SOFTWARE\MICROSOFT\Windows NT\ CurrentVersion | ProductName`.(Citation: McAfee Sharpshooter December 2018) |
| ROKRAT |
ROKRAT can access the |
| DarkWatchman |
DarkWatchman can query the Registry to determine if it has already been installed on the system.(Citation: Prevailion DarkWatchman 2021) |
| PlugX |
PlugX can enumerate and query for information contained within the Windows Registry.(Citation: Lastline PlugX Analysis)(Citation: CIRCL PlugX March 2013) |
| Reaver |
Reaver queries the Registry to determine the correct Startup path to use for persistence.(Citation: Palo Alto Reaver Nov 2017) |
| Bisonal |
Bisonal has used the RegQueryValueExA function to retrieve proxy information in the Registry.(Citation: Talos Bisonal Mar 2020) |
| Epic |
Epic uses the |
| Clambling |
Clambling has the ability to enumerate Registry keys, including |
| SVCReady |
SVCReady can search for the `HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System` Registry key to gather system information.(Citation: HP SVCReady Jun 2022) |
| Carbanak |
Carbanak checks the Registry key |
| Hydraq |
Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010) |
| Saint Bot |
Saint Bot has used `check_registry_keys` as part of its environmental checks.(Citation: Malwarebytes Saint Bot April 2021) |
| CharmPower |
CharmPower has the ability to enumerate `Uninstall` registry values.(Citation: Check Point APT35 CharmPower January 2022) |
| Mori |
Mori can read data from the Registry including from `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\`.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
| QUADAGENT |
QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.(Citation: Unit 42 QUADAGENT July 2018) |
| BendyBear |
BendyBear can query the host's Registry key at |
| Uroburos |
Uroburos can query the Registry, typically `HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds`, to find the key and path to decrypt and load its kernel driver and kernel driver loader.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
| gh0st RAT |
gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.(Citation: Gh0stRAT ATT March 2019) |
| Shamoon |
Shamoon queries several Registry keys to identify hard disk partitions to overwrite.(Citation: Palo Alto Shamoon Nov 2016) |
| StoneDrill |
StoneDrill has looked in the registry to find the default browser path.(Citation: Kaspersky StoneDrill 2017) |
| Attor |
Attor has opened the registry and performed query searches.(Citation: ESET Attor Oct 2019) |
| LitePower |
LitePower can query the Registry for keys added to execute COM hijacking.(Citation: Kaspersky WIRTE November 2021) |
| QUIETCANARY |
QUIETCANARY has the ability to retrieve information from the Registry.(Citation: Mandiant Suspected Turla Campaign February 2023) |
| Derusbi |
Derusbi is capable of enumerating Registry keys and values.(Citation: FireEye Periscope March 2018) |
| BlackByte Ransomware |
BlackByte Ransomware enumerates the Registry, specifically the `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` key.(Citation: Trustwave BlackByte 2021) |
| SodaMaster |
SodaMaster has the ability to query the Registry to detect a key specific to VMware.(Citation: Securelist APT10 March 2021) |
| LiteDuke |
LiteDuke can query the Registry to check for the presence of |
| Sibot |
Sibot has queried the registry for proxy server information.(Citation: MSTIC NOBELIUM Mar 2021) |
| ZxxZ |
ZxxZ can search the registry of a compromised host.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| WINDSHIELD |
WINDSHIELD can gather Registry values.(Citation: FireEye APT32 May 2017) |
| Shark |
Shark can query `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid` to retrieve the machine GUID.(Citation: Accenture Lyceum Targets November 2021) |
| Bazar |
Bazar can query |
| RATANKBA |
RATANKBA uses the command |
| Kapeka |
Kapeka queries registry values for stored configuration information.(Citation: WithSecure Kapeka 2024) |
| Zebrocy |
Zebrocy executes the |
| FinFisher |
FinFisher queries Registry values as part of its anti-sandbox checks.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| Cobalt Strike |
Cobalt Strike can query |
| SUNBURST |
SUNBURST collected the registry value |
| REvil |
REvil can query the Registry to get random file extensions to append to encrypted files.(Citation: Secureworks REvil September 2019) |
| Valak |
Valak can use the Registry for code updates and to collect credentials.(Citation: Unit 42 Valak July 2020) |
| Samurai |
Samurai can query `SOFTWARE\Microsoft\.NETFramework\policy\v2.0` for discovery.(Citation: Kaspersky ToddyCat June 2022) |
| Milan |
Milan can query `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid` to retrieve the machine GUID.(Citation: Accenture Lyceum Targets November 2021) |
| Taidoor |
Taidoor can query the Registry on compromised hosts using |
| Raccoon Stealer |
Raccoon Stealer queries the Windows Registry to fingerprint the infected host via the `HKLM:\SOFTWARE\Microsoft\Cryptography\MachineGuid` key.(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022) |
| Carbon |
Carbon enumerates values in the Registry.(Citation: ESET Carbon Mar 2017) |
| Cardinal RAT |
Cardinal RAT contains watchdog functionality that periodically ensures |
| Gold Dragon |
Gold Dragon enumerates registry keys with the command |
| Carberp |
Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey.(Citation: Prevx Carberp March 2011) |
| Pillowmint |
Pillowmint has used shellcode which reads code stored in the registry keys |
| FunnyDream |
FunnyDream can check `Software\Microsoft\Windows\CurrentVersion\Internet Settings` to extract the `ProxyServer` string.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| CHOPSTICK |
CHOPSTICK provides access to the Windows Registry, which can be used to gather information.(Citation: FireEye APT28) |
| Reg |
Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.(Citation: Microsoft Reg) |
| FELIXROOT |
FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018) |
| ZxShell |
ZxShell can query the netsvc group value data located in the svchost group Registry key.(Citation: Talos ZxShell Oct 2014) |
| BabyShark |
BabyShark has executed the |
| njRAT |
njRAT can read specific registry values.(Citation: Trend Micro njRAT 2018) |
| ComRAT |
ComRAT can check the default browser by querying |
| JPIN |
JPIN can enumerate Registry keys.(Citation: Microsoft PLATINUM April 2016) |
| Industroyer |
Industroyer has a data wiper component that enumerates keys in the Registry |
| DownPaper |
DownPaper searches and reads the value of the Windows Update Registry Run key.(Citation: ClearSky Charming Kitten Dec 2017) |
| Gelsemium |
Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.(Citation: ESET Gelsemium June 2021) |
| Denis |
Denis queries the Registry for keys and values.(Citation: Cybereason Cobalt Kitty 2017) |
| Waterbear |
Waterbear can query the Registry key |
| OSInfo |
OSInfo queries the registry to look for information about Terminal Services.(Citation: Symantec Buckeye) |
| Dtrack |
Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.(Citation: CyberBit Dtrack) |
| Azorult |
Azorult can check for installed software on the system under the Registry key |
| BitPaymer |
BitPaymer can use the RegEnumKeyW to iterate through Registry keys.(Citation: Crowdstrike Indrik November 2018) |
| BACKSPACE |
BACKSPACE is capable of enumerating and making modifications to an infected system's Registry.(Citation: FireEye APT30) |
| ADVSTORESHELL |
ADVSTORESHELL can enumerate registry keys.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015) |
| Turla |
Turla surveys a system upon check-in to discover information in the Windows Registry with the |
| Operation Wocao |
Operation Wocao has queried the registry to detect recent PuTTY sessions.(Citation: FoxIT Wocao December 2019) |
| Fox Kitten |
Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| Lazarus Group |
Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key: |
| Indrik Spider |
Indrik Spider has used a service account to extract copies of the `Security` Registry hive.(Citation: Mandiant_UNC2165) |
| APT39 |
APT39 has used various strains of malware to query the Registry.(Citation: FBI FLASH APT39 September 2020) |
| Dragonfly 2.0 |
Dragonfly 2.0 queried the Registry to identify victim information.(Citation: US-CERT TA18-074A) |
| ZIRCONIUM |
ZIRCONIUM has used a tool to query the Registry for proxy settings.(Citation: Zscaler APT31 Covid-19 October 2020) |
| BlackByte |
BlackByte queried registry values to determine system language settings.(Citation: Picus BlackByte 2022) |
| Threat Group-3390 |
A Threat Group-3390 tool can read and decrypt stored Registry values.(Citation: Nccgroup Emissary Panda May 2018) |
| APT32 |
APT32's backdoor can query the Windows Registry to gather system information. (Citation: ESET OceanLotus Mar 2019) |
| Dragonfly |
Dragonfly has queried the Registry to identify victim information.(Citation: US-CERT TA18-074A) |
| OilRig |
OilRig has used |
| Chimera |
Chimera has queried Registry keys using |
| Volt Typhoon |
Volt Typhoon has queried the Registry on compromised systems, `reg query hklm\software\`, for information on installed software including PuTTY.(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Kimsuky |
Kimsuky has obtained specific Registry keys and values on a compromised host.(Citation: Talos Kimsuky Nov 2021) |
| Lotus Blossom |
Lotus Blossom has run commands such as `reg query HKLM\SYSTEM\CurrentControlSet\Services\[service name]\Parameters` to verify if installed implants are running as a service.(Citation: Cisco LotusBlossom 2025) |
| Daggerfly |
Daggerfly used Reg to dump the Security Account Manager (SAM), System, and Security Windows registry hives from victim machines.(Citation: Symantec Daggerfly 2023) |
| APT41 |
APT41 queried registry values to determine items such as configured RDP ports and network configurations.(Citation: Rostovcev APT41 2021) |
| Stealth Falcon |
Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.(Citation: Citizen Lab Stealth Falcon May 2016) |
Mitigations |
|
| Mitigation | Description |
|---|---|
| Query Registry Mitigation |
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Interaction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
References
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
- Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
- ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
- Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
- Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
- Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- FinFisher. (n.d.). Retrieved September 12, 2024.
- Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
- Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
- Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
- Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
- Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
- Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
- Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
- Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
- Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
- Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
- Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
- FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
- Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
- Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
- CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
- Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
- Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024.
- Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
- Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
- Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024.
- Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
- Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
- Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
- Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
- Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
- Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.