Back in January I wrote a post entitled "The best computer security advice you’ll get." In that post I talked about better event log monitoring and invited readers to email me for more event monitoring advice. Readers responded in droves, with a greater number of requests for information than I’ve ever had from a single post.
For the benefit of all, here's my complete event monitoring advice, a combination of documents (get them here) and three previous posts:
A few readers also asked about monitoring the Windows registry for malicious entries. Auditing registry keys ends up causing so many nonmalicious, “noisy” events that I tend not to recommend doing so. Nonetheless, most malware tends to modify specific registry keys; if you suspect an infection, you can monitor those keys and get useful information.
The problem is that most legitimate software modifies these same registry keys, resulting in the aforementioned noise. That's why this type of auditing works best on certain computers -- such as infrastructure servers and administrative jump boxes -- that seldom see unexpected changes over their lives once set up.
Registry auditing is less effective on regular workstations, especially if the user has Administrator rights and can run and install any software. Still, it can’t hurt to collect the information for aggregated metrics or for forensic analysis and alerts.
Deciding which registry keys to audit
Which keys among tens of thousands are useful to audit? I don’t have a complete list that would be 100 percent accurate, but the best source is Microsoft’s Sysinternals Autoruns program.
If you review the registry keys that Autoruns inspects, you’ll have one of the most complete lists of keys available, at least for the places that malware often modifies to ensure it will load each time the computer reboots or the user logs in. Covering 19 different registry key sections, Autoruns is pretty thorough. Some people prefer a similar script called Silent Runners.vbs.
My favorite is Autoruns. Not only is it hosted by Microsoft, but it was created by the legendary Mark Russinovich and frequently updated by him and his team. New attack vectors find their way into Autoruns pretty quickly. The program has a great GUI that allows you to quickly see (and disable) autorunning entries, send file hashes for VirusTotal.com analysis (see "How to detect malware infection in 9 easy steps"), and run before-and-after comparisons. Note, however, that the SilentRunners.vbs script covers a lot of the same registry keys, and it might be easier for some people to extract registry key paths from it. (You can extract registry keys from Autoruns using its Save option or using command-line version, Autorunsc.exe.)
Note, however, that perhaps 1 percent of today’s malware is memory-resident only -- that is, it doesn’t write itself to permanent storage. As such, it does not modify one of the analyzed registry keys. To detect the memory resident stuff, follow the procedure outlined in "How to detect malware infection in 9 easy steps."
In the registry, the real trick is in figuring out which modifications are malicious and which are legitimate. The Autoruns/VirusTotal.com linkage will help you, but I don’t know of an easy way to automate or script the process. Simply collecting and aggregating registry key modifications is a start, at least. Then you can analyze what you’re collecting and determine how hard or easy it's going to be to detect a malicious agent. If you’ve read this far, you’re already further along than most admins.
Enabling registry auditing
You need to start, of course, by enabling Windows registry auditing. It’s a two-step process.
First you need to enable registry auditing in the Windows Event logger. You can do this using Active Directory or local group policy to find and enable the Audit Registry option in the Object Access subcategory under Advanced Auditing Policy Configuration (Computer Configuration > Windows Settings > Security Settings). Enable the Success and Failure options. For the latter configuration, it’s always good to know which program (or which users) tried to modify a registry key when they lacked the correct permissions.
Next, you have to open each individual registry key using Regedit.exe, right-click the registry keys you want to audit, choose the Permissions option, then click the Advanced button, and finally select the Auditing tab. Add the Everyone group as the principal to audit and instead of choosing one of the three Basic Permissions, choose Show Advanced Permissions instead. Then enable the following permissions:
- Set Value
- Create Subkey
- Create Link
- Write DAC
- Write Owner
Repeat that permissions routine for every registry key you want to monitor.
Registry auditing isn’t for the faint of heart. My best advice is to focus on monitoring the registry keys on computers that contain high-value data and other strategic assets (like domain controllers, infrastructure servers, jump boxes, and so on), and which should not be frequently changing.
Registry auditing may be a bit daunting, but it's another great tool for detecting badness on your computers and networks. Go in with realistic expectations, screen out the noise, and add an important piece to your overall detection regime.