MDR: Unveiling Image-Load & Registry (Part 5)

Unveiling Image-Load & Registry Notifications with EDR Solutions

Discover how to effectively monitor image-load and registry notifications using Endpoint Detection and Response (EDR) solutions like Velociraptor and Windows Defender. As a cybersecurity expert, I will guide you through the techniques and tools necessary to identify and prevent security threats in real-time.

How to detect malicious Image-Loads and Registries?

To directly know what settings lead to protect Image-Load and Registry changes using Windows Defender?

VQL Query (Velociraptor):

 SELECT * FROM pslist()
 WHERE BinaryPath CONTAINS 'suspicious_keyword'
 

VQL query enhanced to make the findings more interesting to find (below):

 SELECT * FROM pe_info(path=FullPath) WHERE IsExecutable = 1 AND (CompanyName NOT LIKE '%trusted_company%' OR ProductName NOT LIKE '%trusted_product%')
 

This above query filters the PE (Portable Executable) files that are not from a trusted company or product.

Below is another example if you know suspicious DLL.

 SELECT ImageLoadEvent.ImageFileName, ImageLoadEvent.ImageBase, ImageLoadEvent.ProcessId
 FROM watch_monitoring.ImageLoad AS ImageLoadEvent
 WHERE ImageLoadEvent.ImageFileName LIKE '%suspicious_dll%'
 

The VQL query output will display information about loaded libraries or images, including their path and the process in which they were loaded. You should look for suspicious or unexpected libraries being loaded, especially if they originate from unusual locations.

Windows Defender:

Enable "ASR rule" for "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".

To use Windows Defender to monitor image/library load events, you can configure Attack Surface Reduction (ASR) rules. Enable the ASR rule for "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". This helps to restrict the execution of suspicious or potentially malicious libraries. You can manage ASR rules using PowerShell, Group Policy, or Microsoft Endpoint Manager.

VQL Query (Velociraptor):

 SELECT * FROM ntregistry()
 WHERE KeyPath CONTAINS 'suspicious_keyword'
 

The output of the VQL queries will be displayed in table format, with each row representing a specific event or activity that matches the specified criteria. For example, the output of the "SELECT * FROM ntregistry()" query will display information about registry keys and values that contain a suspicious keyword.

The VQL query output will show the registry activity, including created, modified, or deleted keys and values. Be attentive to unexpected or unusual registry changes, as they may indicate malicious activity.

 SELECT CreateEvent.Key, CreateEvent.ValueName, CreateEvent.ValueData
 FROM watch_monitoring.RegistryEvent AS CreateEvent
 WHERE CreateEvent.EventType = "CreateKey" OR CreateEvent.EventType = "CreateValue"
 

Windows Defender:

Enable "Audit Registry" in Advanced Audit Policy Configuration.

To detect registry activity using Windows Defender, you need to enable "Audit Registry" in the Advanced Audit Policy Configuration. This setting helps you track changes to registry keys and values. When enabled, it generates events in the Windows Event Viewer. You can filter events by specific Event IDs to identify registry activities.

Tamper protection: Turn on tamper protection to prevent unauthorised changes to Windows Defender settings. This feature can help protect against attempts to disable or bypass security features related to registry activities.

Windows Defender Setting: Enable tamper protection to prevent unauthorised changes to Windows Defender settings, including attempts to create registry keys or values maliciously.

• Open Windows Security.

• Click on "Virus & threat protection."

• Under "Virus & threat protection settings," click "Manage settings."

• Turn on the "Tamper protection" toggle.

VQL Query (Velociraptor):

 SELECT * FROM ntregistry()
 WHERE EventType = 'SetValue'
 

Monitoring Key/Value Creation

 SELECT * FROM ntregistry() WHERE Operation = 'CreateKey' AND (KeyName LIKE '%suspicious_key%' OR ValueName LIKE '%suspicious_value%')
 

This query focuses on 'CreateKey' operations and filters results for suspicious key or value names. The VQL query output will display newly created registry keys and values. Look for suspicious keys or values that could be related to malware or unauthorized software installations.

 SELECT ModifyEvent.Key, ModifyEvent.ValueName, ModifyEvent.OldValueData, ModifyEvent.NewValueData
 FROM watch_monitoring.RegistryEvent AS ModifyEvent
 WHERE ModifyEvent.EventType = "SetValue"
 

Windows Defender:

Monitor events with Event ID 4657 in Event Viewer.

Cloud-delivered protection: Enable cloud-delivered protection to improve detection and response times for new and emerging threats.

Windows Defender Setting: Enable cloud-delivered protection to improve detection and response times for new and emerging threats, including suspicious registry key/value modifications.

This feature can help identify suspicious behaviour related to image/library loading and registry activities.

• Open Windows Security.

• Click on "Virus & threat protection."

• Under "Virus & threat protection settings," click "Manage settings."

• Turn on the "Cloud-delivered protection" toggle.

VQL Query (Velociraptor):

SELECT * FROM ntregistry()
 WHERE EventType = 'ModifyValue'

Monitoring Key/Value Modification

 SELECT * FROM ntregistry() WHERE Operation = 'SetValueKey' AND (KeyName LIKE '%suspicious_key%' OR ValueName LIKE '%suspicious_value%')
 

This query focuses on 'SetValueKey' operations and filters results for suspicious key or value names.

The VQL query output will show modified registry keys and values. Pay attention to unexpected changes, especially if they involve critical system settings or security configurations.

Windows Defender:

Monitor events with Event ID 4657 in Event Viewer.

Windows Defender Setting: Enable cloud-delivered protection to improve detection and response times for new and emerging threats, including suspicious registry key/value modifications.

Above Windows Defender settings in Tip #4 would suffices.

VQL Query (Velociraptor):

 SELECT * FROM ntregistry()
 WHERE EventType = 'DeleteValue'
 

Monitoring Key/Value Deletion

 SELECT * FROM ntregistry() WHERE Operation = 'DeleteValueKey' AND (KeyName LIKE '%suspicious_key%' OR ValueName LIKE '%suspicious_value%')
 

This query focuses on 'DeleteValueKey' operations and filters results for suspicious key or value names.

The VQL query output will display deleted registry keys and values. Watch for unusual deletions that could indicate an attempt to cover up malicious activities or tamper with system settings.

Windows Defender:

Monitor events with Event ID 4660 in Event Viewer.

Controlled folder access: Enable controlled folder access to protect sensitive files and folders from unauthorised access or modification. This feature can help mitigate the risk of file and registry-related threats.

Windows Defender Setting: Enable controlled folder access to protect sensitive files and folders from unauthorised access or modification, including attempts to delete registry keys or values maliciously.

• Open Windows Security.

• Click on "Virus & threat protection."

• Scroll down to "Ransomware protection" and click "Manage ransomware protection."

• Turn on the "Controlled folder access" toggle.

By using Velociraptor's VQL queries and adjusting Windows Defender settings, you can effectively monitor image-load and registry activities, enhancing your endpoint detection and response strategy.

Windows Defender, while a comprehensive security solution, does not have specific settings directly tied to each tip. However, some general settings can be used to enhance security and detection capabilities in relation to the tips provided in Chapter 5. Here's a brief overview of those settings:

1. Real-time protection: Ensure that real-time protection is enabled in Windows Defender. It actively scans for malware and other threats and can help detect malicious activities related to image/library loading and registry modifications.

2. Cloud-delivered protection: Enable cloud-delivered protection to improve detection and response times for new and emerging threats. This feature can help identify suspicious behaviour related to image/library loading and registry activities.

3. Tamper protection: Turn on tamper protection to prevent unauthorized changes to Windows Defender settings. This feature can help protect against attempts to disable or bypass security features related to registry activities.

4. Controlled folder access: Enable controlled folder access to protect sensitive files and folders from unauthorised access or modification. This feature can help mitigate the risk of file and registry-related threats.

By enabling and configuring these Windows Defender settings, you can strengthen your security posture and improve your ability to detect and respond to threats related to image/library loading and registry activities.

Leverage the power of EDR solutions like Velociraptor and Windows Defender to stay ahead of security threats by monitoring image-load and registry notifications. Implement these tips and stay vigilant against potential attacks.

Unleashing power of MiniFilter PART 6