Name:Windows Modify Registry EnableLinkedConnections id:93048164-3358-4af0-8680-aa5f38440516 version:4 date:2024-11-14 author:Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic detects a suspicious modification to the Windows registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry path is "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" and the value is set to "0x00000001". This activity is significant because enabling linked connections can allow network shares to be accessed with both standard and administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges. Data_source:
-Sysmon EventID 12
-Sysmon EventID 13
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_enablelinkedconnections_filter`
how_to_implement:To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. known_false_positives:Administrators may enable or disable this feature that may cause some false positive. References: -https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/ drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'BlackByte Ransomware' asset_type:Endpoint atomic_guid: - '4f4e2f9f-6209-4fcf-9b15-3b7455706f5b' confidence:70 impact:70 message:A registry modification in Windows EnableLinkedConnections configuration on $dest$ mitre_attack_id: - 'T1112' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:49 required_fields: - '_time' - 'Registry.registry_key_name' - 'Registry.registry_path' - 'Registry.user' - 'Registry.dest' - 'Registry.registry_value_name' - 'Registry.action' - 'Registry.registry_value_data' security_domain:endpoint
