Name:Windows Disable Change Password Through Registry id:0df33e1a-9ef6-11ec-a1ad-acde48001122 version:7 date:2024-12-08 author:Teoderick Contreras, Splunk, Steven Dick status:production type:Anomaly Description:The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" with a value of "0x00000001". This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network. Data_source:
-Sysmon EventID 12
-Sysmon EventID 13
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives:This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. References: -https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Ransomware' - 'Windows Defense Evasion Tactics' asset_type:Endpoint confidence:70 impact:70 message:Registry modification in "DisableChangePassword" on $dest$ mitre_attack_id: - 'T1112' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Registry.dest' - 'Registry.registry_value_name' - 'Registry.registry_key_name' - 'Registry.registry_path' - 'Registry.registry_value_data' - 'Registry.process_guid' risk_score:49 security_domain:endpoint
