Midnight Blizzard - Script payload stored in Registry

Hunt Hypothesis

Adversaries may store malicious script payloads in the registry to execute them later, leveraging registry persistence as a covert execution method. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential long-term persistence and command and control activities.

KQL Query

let cmdTokens0 = dynamic(['vbscript','jscript']);
let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);
(union isfuzzy=true 
(SecurityEvent
| where TimeGenerated >= ago(14d)
| where EventID == 4688
| where CommandLine has @'\Microsoft\Windows\CurrentVersion'
| where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches
//| where CommandLine has_any (cmdTokens0)
//| where CommandLine has_all (cmdTokens1)
| where CommandLine has_all (cmdTokens2)
| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
),
(WindowsEvent
| where TimeGenerated >= ago(14d)
| where EventID == 4688 and EventData has_all(cmdTokens2) and  EventData has @'\Microsoft\Windows\CurrentVersion'
| where not(EventData has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
| extend CommandLine = tostring(EventData.CommandLine)
| where CommandLine has @'\Microsoft\Windows\CurrentVersion'
| where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches
//| where CommandLine has_any (cmdTokens0)
//| where CommandLine has_all (cmdTokens1)
| where CommandLine has_all (cmdTokens2)
| extend Account =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| extend ParentProcessName = tostring(EventData.ParentProcessName)  
| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId)
| extend Name = tostring(split(Account, "\\")[1]), NTDomain = tostring(split(Account, "\\")[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')), HostName = tostring(split(Computer, '.', 0)[0]))

Analytic Rule Definition

id: 00cb180c-08a8-4e55-a276-63fb1442d5b5
name: Midnight Blizzard - Script payload stored in Registry
description: |
  'This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script
   References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
severity: Medium
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes: 
      - SecurityEvents 
  - connectorId: WindowsForwardedEvents
    dataTypes: 
      - WindowsEvent 
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
relevantTechniques:
  - T1059
tags:
  - Midnight Blizzard
query: |
  let cmdTokens0 = dynamic(['vbscript','jscript']);
  let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
  let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);
  (union isfuzzy=true 
  (SecurityEvent
  | where TimeGenerated >= ago(14d)
  | where EventID == 4688
  | where CommandLine has @'\Microsoft\Windows\CurrentVersion'
  | where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
  // If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches
  //| where CommandLine has_any (cmdTokens0)
  //| where CommandLine has_all (cmdTokens1)
  | where CommandLine has_all (cmdTokens2)
  | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
  ),
  (WindowsEvent
  | where TimeGenerated >= ago(14d)
  | where EventID == 4688 and EventData has_all(cmdTokens2) and  EventData has @'\Microsoft\Windows\CurrentVersion'
  | where not(EventData has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
  | extend CommandLine = tostring(EventData.CommandLine)
  | where CommandLine has @'\Microsoft\Windows\CurrentVersion'
  | where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
  // If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches
  //| where CommandLine has_any (cmdTokens0)
  //| where CommandLine has_all (cmdTokens1)
  | where CommandLine has_all (cmdTokens2)
  | extend Account =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Process=tostring(split(NewProcessName, '\\')[-1])
  | extend ParentProcessName = tostring(EventData.ParentProcessName)  
  | project TimeGenerated, Computer, Accou

Required Data Sources

Sentinel Table	Notes
`SecurityEvent`	Ensure this data connector is enabled
`WindowsEvent`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Technique: T1059 — Command and Scripting Interpreter

References

Source Query

False Positive Guidance

Scenario: Scheduled Job Configuration
Description: A legitimate scheduled job (e.g., Task Scheduler) is configured to run a script that stores a script payload in the registry as part of its setup.
Filter/Exclusion: Check for CommandLine containing schtasks or schtasks.exe and filter out registry writes associated with scheduled task configurations.
Scenario: System Configuration via Group Policy
Description: An admin task (e.g., gpupdate or gpresult) triggers a registry update to store a script payload as part of a policy deployment.
Filter/Exclusion: Filter out registry writes that occur during gpupdate or gpresult execution, or check for registry paths commonly used by Group Policy (e.g., HKLM\Software\Policies).
Scenario: PowerShell Script Deployment
Description: A legitimate PowerShell script (e.g., PowerShell.exe -Command) is used to store a script payload in the registry as part of a deployment process.
Filter/Exclusion: Filter out registry writes that occur when PowerShell.exe is invoked with -Command or -File and are associated with known deployment tools (e.g., Chocolatey, Packer, Ansible).
Scenario: Windows Update or Patching Tool
Description: A patching tool (e.g., Windows Update, WSUS, or SCCM) writes a script payload to the registry during an update process.
Filter/Exclusion: Exclude registry writes that occur during known update processes by checking for parent processes like wusa.exe, msiexec.exe, or setup.exe.
Scenario: Admin Tool for Registry Management
Description: An admin tool (e.g., Regedit.exe, reg.exe, or `PowerShell