Canaries with update 3.x.7 onwards can now detect remote registry connections made against their Windows File Share service.
How does this work?
In a typical Windows environment, a connection to a machine's remote registry is a rare event. We have found that various reconnaissance tools (such as BloodHound) attempt to connect to the remote registry of a Windows machine in an attempt to identify high-value targets.
The remote registry is accessed over a named pipe after connecting to the IPC$ share.
In the alert, we identify the specific key that was read when the connection was opened. Typical keys which are often read first when the connection is opened are:
- HKLM
- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
These keys being read don't necessarily indicate badness, as it is a valid system admin tool; however, if they are accompanied by a large number of additional keys being read, this can be an indication of a possible breach and reconnaissance effort.
This detection currently does not reveal the source IP address performing the query due to a technical limitation. Ideally, this alert should be correlated with any other alerts at the same time, and firewall logging towards port TCP/445 (SMB).
Alert
A "Remote Registry Connection" alert example can be found below and has the following notable fields:
- SMB User: The authenticated user performing the registry read.
- Mode: The workgroup/domain of the authenticating user.
- Registry Hive: The registry hive which was queried.
- Registry Key: The specific registry key queried.