Adversaries are leveraging registry modifications to establish persistence and maintain control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate OceanLotus-related threats early.
KQL Query
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith @"\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model"
or RegistryKey endswith @"\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application"
or RegistryKey endswith @"\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon"
or RegistryKey endswith @"\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application"
or RegistryKey endswith @"\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon"
or RegistryKey endswith @"\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application"
or RegistryKey endswith @"\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon"
id: 3e571521-6f73-423f-9280-aff6170c9d81
name: OceanLotus registry activity
description: |
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_oceanlotus_registry.yml.
Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
query: |
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith @"\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model"
or RegistryKey endswith @"\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application"
or RegistryKey endswith @"\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon"
or RegistryKey endswith @"\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application"
or RegistryKey endswith @"\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon"
or RegistryKey endswith @"\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application"
or RegistryKey endswith @"\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon"
| Sentinel Table | Notes |
|---|---|
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task (e.g., Task Scheduler or PowerShell script) is configured to modify registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or similar paths.
Filter/Exclusion: Check for Task Scheduler or PowerShell execution context, and exclude registry modifications made by tasks with known maintenance or configuration purposes (e.g., Microsoft\Windows\AutoTime or Microsoft\Windows\Defender).
Scenario: Windows Update or Patching Process
Description: Windows Update or Microsoft Endpoint Manager (MEM) may modify registry keys during system updates, such as in HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate or HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Filter/Exclusion: Filter by process name (svchost.exe, wuauserv.exe, or setup.exe) or check for registry modifications that occur during known update windows (e.g., HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate).
Scenario: Admin User Performing Registry Configuration
Description: An admin user (e.g., Administrator or Domain Admin) manually modifies registry keys for configuration purposes (e.g., setting proxy settings, configuring services, or adjusting system policies).
Filter/Exclusion: Exclude registry modifications made by users with Administrators group membership or by processes like regedit.exe, reg.exe, or msconfig.exe.
Scenario: Antivirus or Security Software Configuration
Description: Antivirus or endpoint protection software (e.g., Microsoft Defender, CrowdStrike, or Symantec) may modify registry entries to configure scan paths, exclusions, or service settings.
Filter/Exclusion: Check for