Suspicious Registry Events

These detections identify suspicious activity from Sysmon Registry Event records collected by Insight Agent from Windows endpoints.

Suspicious Registry Event - BCDEDIT Disable Auto Recovery

Description

This detection identifies the BCDEdit utility being used to Disable Auto Recovery and made changes to the relevant registry entry, which will disable Automatic Windows Repair. Ransomware has been observed doing this to prevent the system from automatically reverting back to a good known state.

Recommendation

Inspect the Target process that modified the registry entry, and investigate other process activity around the same time as the command for anything suspicious. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Inhibit System Recovery - T1490
Suspicious Registry Event - BCDEDIT Safeboot Minimal

Description

This detection identifies the BCDEdit utility being used to enable safeboot and made changes to the relevant registry entry, which will boot the system into safe mode. Ransomware has been observed doing this as a way to evade detection, as most EDR products do not function in safe mode.

Recommendation

Inspect the Target process that modified the registry entry, and investigate other process activity around the same time as the command for anything suspicious. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Inhibit System Recovery - T1490
  • Impair Defenses - T1562
Suspicious Registry Event - BCDEDIT Update Boot Status Policy - ignoreallfailures

Description

This detection identifies the BCDEdit utility being used to update Boot Status Policy with ignoreallfailures set, and made changes to the relevant registry entry, which will allow the computer to attempt to boot normally even after an error occurs on failed boot, failed shutdown or failed checkpoint. Ransomware has been observed doing this to prevent the system from automatically reverting back to a good known state.

Recommendation

Inspect the Target process that modified the registry entry, and investigate other process activity around the same time as the command for anything suspicious. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Inhibit System Recovery - T1490
Suspicious Registry Event - Unusual Registry Run Keys

Description

This detection identifies that an Autorun Registry Key has been set for persistence with its Target executable file found from unusual directory location.

Recommendation

Inspect the Target process that modified the registry entry, and investigate other process activity around the same time as the command for anything suspicious. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Registry Run Keys / Startup Folder - T1547.001