Description:
This article introduces the "Remote Registry Connection" alert.
Canary's with update 3.x.7 onwards now have the added the ability to detect remote registry connections made against it's Windows File Share service.
In a typical Windows environment, a connection to a machine's remote registry is a rare event. We have found that various reconnaissance tools (such as bloodhound) attempt to connect to the remote registry of a Windows machine in an attempt to identify high value targets.
The remote registry is accessed over a named pipe after connecting to the IPC$ share.
In the alert we identify the specific key that was read when the connection was opened. Typical keys which are often read first when the connection is opened are:
- HKLM
- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
These keys being read don't necessarily indicate badness, as it is a valid system admin tool, however if they are accompanied by a large number of additional keys being read this can be an indication of a possible breach and reconnaissance effort.
Note: This detection currently does not reveal the source IP address performing the query due to a technical limitation. Ideally this alert should be correlated with any other alerts at the same time, and firewall logging towards port TCP/445 (SMB).
Example Alert:
A "Remote Registry Connection" alert example can be found below and has the following notable fields:
SMB User: The authenticated user performing the registry read.
Mode: The workgroup / domain of the authenticating user.
Registry Hive: The registry hive which was queried.
Registry Key: The specific registry key queried.