1686837691, search_name="ESCU - Windows Modify Registry No Auto Update - Rule", analyticstories="RedLine Stealer", annotations="{\"analytic_story\":[\"RedLine Stealer\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1112\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="T1112", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="RedLine Stealer", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="RedLine Stealer", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1112", annotations.nist="DE.AE", count="3", dest="ar-win-2.attackrange.local", firstTime="2023-06-15T13:54:04", info_max_time="1686837600.000000000", info_min_time="1686837000.000000000", info_search_time="1686837685.655924000", lastTime="2023-06-15T13:56:57", registry_key_name="HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", registry_path="HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate", registry_value_data="0x00000001", risk_message="A registry modification in Windows auto update configuration on ar-win-2.attackrange.local", risk_object="ar-win-2.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will \"Disable Automatic Updates\".", user="Administrator" 1686837091, search_name="ESCU - Windows Modify Registry No Auto Update - Rule", analyticstories="RedLine Stealer", annotations="{\"analytic_story\":[\"RedLine Stealer\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1112\"],\"nist\":[\"DE.AE\"]}", annotations._all="Exploitation", annotations._all="RedLine Stealer", annotations._all="CIS 10", annotations._all="T1112", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="RedLine Stealer", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1112", annotations.nist="DE.AE", count="1", dest="ar-win-2.attackrange.local", firstTime="2023-06-15T13:48:40", info_max_time="1686837000.000000000", info_min_time="1686836400.000000000", info_search_time="1686837085.430202000", lastTime="2023-06-15T13:48:40", registry_key_name="HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", registry_path="HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions", registry_value_data="0x00000001", risk_message="A registry modification in Windows auto update configuration on ar-win-2.attackrange.local", risk_object="ar-win-2.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will \"Disable Automatic Updates\".", user="Administrator" 1686836489, search_name="ESCU - Windows Modify Registry No Auto Update - Rule", analyticstories="RedLine Stealer", annotations="{\"analytic_story\":[\"RedLine Stealer\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1112\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="RedLine Stealer", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1112", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="RedLine Stealer", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1112", annotations.nist="DE.AE", count="1", dest="ar-win-2.attackrange.local", firstTime="2023-06-15T13:38:49", info_max_time="1686836400.000000000", info_min_time="1686835800.000000000", info_search_time="1686836485.442763000", lastTime="2023-06-15T13:38:49", registry_key_name="HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", registry_path="HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers", registry_value_data="0x00000001", risk_message="A registry modification in Windows auto update configuration on ar-win-2.attackrange.local", risk_object="ar-win-2.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will \"Disable Automatic Updates\".", user="Administrator"