Name:Disabling SystemRestore In Registry id:f4f837e2-91fb-11eb-8bf6-acde48001122 version:9 date:2024-12-08 author:Teoderick Contreras, Splunk, Steven Dick status:production type:TTP Description:The following analytic detects the modification of registry keys to disable System Restore on a machine. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with System Restore settings. This activity is significant because disabling System Restore can hinder recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain persistence on an infected system. If confirmed malicious, this action could prevent system recovery, allowing the attacker to sustain their foothold and potentially cause further damage or data loss. Data_source:
-Sysmon EventID 12
-Sysmon EventID 13
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig" Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives:in some cases admin can disable systemrestore on a machine. References: -https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html drilldown_searches: name:'View the detection results for - "$user$" and "$dest$"' search:'%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Windows Defense Evasion Tactics' - 'Windows Registry Abuse' - 'NjRAT' asset_type:Endpoint confidence:70 impact:70 message:The Windows registry was modified to disable system restore on $dest$ by $user$. mitre_attack_id: - 'T1490' observable: name:'user' type:'User' - role: - 'Victim' name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Registry.dest' - 'Registry.registry_value_name' - 'Registry.registry_key_name' - 'Registry.registry_path' - 'Registry.registry_value_data' - 'Registry.process_guid' risk_score:49 security_domain:endpoint
