With hundreds of millions of variants, Microsoft Windows malware doesn’t always modify the Windows registry database (i.e., registry)… but it usually does. Malware will modify the registry to make sure it can launch itself after a reboot, to better hide, or to integrate with an existing legitimate process. So, it makes sense to monitor registry areas that are often manipulated by malware.
The problem is that most legitimate software modifies these same registry keys, resulting too much false-positive “noise”. The stuff you really should be paying attention to is likely to get overrun and drowned out by the stuff you really don’t need to worry about. But if you do it right, it can be a great way to detect malware and alert responding resources.
Deciding which registry keys to audit
Which registry keys among tens of thousands are useful to audit? I don’t have a complete list that would be 100 percent accurate, but the best source is Microsoft’s Sysinternals Autoruns program.
If you review the registry keys that Autoruns inspects, you’ll have one of the most complete lists of the registry keys that malware likes to manipulate. Covering 19 different registry key sections, Autoruns is pretty thorough. Some people prefer a similar script called Silent Runners.vbs, but I prefer Autoruns. Not only is it hosted by Microsoft, but it was created by the legendary Mark Russinovich and frequently updated by him and his team.
New attack vectors find their way into Autoruns pretty quickly. The program has a great GUI that allows you to quickly see (and disable) autorunning entries, send file hashes for VirusTotal.com analysis, and run before-and-after comparisons. The SilentRunners.vbs script covers a lot of the same registry keys, and it might be easier for some people to extract registry key paths from it. (You can extract registry keys from Autoruns using its Save option or using command-line version, Autorunsc.exe.)
Note, however, that perhaps one percent of today’s malware is memory-resident only — that is, it doesn’t write itself to permanent storage. As such, it does not modify one of the analyzed registry keys. To detect the memory resident stuff, follow the procedure outlined in "How to detect malware infection in 9 easy steps."
Finding malware with VirusTotal
In the registry, the real trick is in figuring out which modifications are malicious and which are legitimate. Many years ago this activity took years of experience and an hour or so per machine. Now, you can tell in about 15 seconds with the best accuracy possible. Just enable the VirusTotal functionality of Autoruns.
VirusTotal is a Google-owned service that runs every file hash against every participating antivirus software. It currently has 67 antivirus engines, although that number goes up and down. VirusTotal is great by itself. Users can individually submit files and find out if they are infected by malware. But where it really gets neat is when programs integrate with it, like Autoruns and Process Explorer.
When you run either utility and enable the Check VirusTotal option, each involved file will be automatically submitted to VirusTotal and then a ratio returned for each file. The denominator (the lower half) shows how many antivirus engines inspected the submission. Usually this number is 67 or something smaller. The nominator (the upper half) shows how many of these antivirus engines detected the file submission as malicious. If the nominator is a 0, then the involved file is not malicious. If the nominator is 3 or above, then you usually have a malicious program. Unfortunately, if the nominator shows 1 or a 2, it is usually a false-positive by a relatively unknown antivirus engine. If you follow these rules, VirusTotal is very, very accurate.
The Autoruns/VirusTotal.com linkage will help you, but I don’t know of an easy way to automate or script the process. Simply collecting and aggregating registry key modifications is a start, at least. Then you can analyze what you’re collecting and determine how hard or easy it's going to be to detect a malicious agent. If you’ve read this far, you’re already further along than most admins.
Enabling registry auditing
Enterprise entities should enable registry auditing, which can be accomplished using built-in Windows auditing features. You need to start, of course, by enabling Windows registry auditing. It’s a two-step process.
First you need to enable registry auditing in the Windows Event logger. You can do this using Active Directory or local group policy to find and enable the Audit Registry option in the Object Access subcategory under Advanced Auditing Policy Configuration (Computer Configuration > Windows Settings > Security Settings). Enable the Success and Failure options. For the latter configuration, it’s always good to know which program (or which users) tried to modify a registry key when they lacked the correct permissions.
Next, you have to open each individual registry key using Regedit.exe, right-click the registry keys you want to audit, choose the Permissions option, then click the Advanced button, and finally select the Auditing tab. Add the Everyone group as the principal to audit and instead of choosing one of the three Basic Permissions, choose Show Advanced Permissions instead. Then enable the following permissions:
- Set Value
- Create Subkey
- Create Link
- Write DAC
- Write Owner
Repeat that permissions routine for every registry key you want to monitor.
Registry auditing isn’t for the faint of heart. My best advice is to focus on monitoring the registry keys on computers that contain high-value data and other strategic assets (like domain controllers, infrastructure servers, jump boxes, and so on), and which should not be frequently changing.
Registry auditing may be a bit daunting, but it's another great tool for detecting badness on your computers and networks. Go in with realistic expectations, screen out the noise, and add an important piece to your overall detection regime.