wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/wp-includes/functions.php:6114) in /var/www/html/wp-includes/rest-api/class-wp-rest-server.php on line 1893
{"id":52726,"date":"2024-11-21T07:00:00","date_gmt":"2024-11-21T07:00:00","guid":{"rendered":"https:\/\/cybersecurityupdate.net\/uncategorized\/stories-from-the-soc-registry-clues-to-pdf-blues-a-tale-of-pua-persistence\/"},"modified":"2024-11-21T07:00:00","modified_gmt":"2024-11-21T07:00:00","slug":"stories-from-the-soc-registry-clues-to-pdf-blues-a-tale-of-pua-persistence","status":"publish","type":"post","link":"https:\/\/cybersecurityupdate.net\/news\/stories-from-the-soc-registry-clues-to-pdf-blues-a-tale-of-pua-persistence\/","title":{"rendered":"Stories from the SOC: Registry Clues to PDF Blues: A Tale of PUA Persistence"},"content":{"rendered":"Establishing persistence on a system allows a threat actor continued access or process execution across system restarts or other changes. For this reason, monitoring for and investigating persistence indicators are key components of any robust cybersecurity platform.<\/p>\n
Two common persistence techniques are using AutoStart Execution of programs during system boot or logon (T1547<\/a>) and abusing scheduled task functions (T1053<\/a>). However, legitimate application activity also frequently involves AutoStart Execution and scheduled task functions, so defending against these techniques requires not only detection monitoring but also analysis by a cybersecurity professional.\u00a0<\/p>\n During a recent incident involving a LevelBlue MDR SOC customer, an alarm that triggered for a Windows Autorun registry key for persistence was traced back to a potentially unwanted application (PUA). The PUA purportedly was acting as a PDF conversion application. A review of the initial alarm and relevant events revealed that the application had established a double layer of persistence by using both Scheduled Task creation and Autorun registry keys to execute JavaScript under the guise of a Chrome browser extension. Additional open-source intelligence (OSINT) tools identified the application as either a PUA or a potentially malicious file. An investigation was created for the customer with remediation recommendations and ultimately it was confirmed that the application was neither expected nor authorized within the customer\u2019s environment, and it was removed.<\/p>\n The same application was later detected in another customer\u2019s environment, but in this case, the customer had added a related file hash to an exclusion list. Because the LevelBlue MDR SOC analyst had recently investigated the application and identified it as potentially malicious, they were able to recommend removing the hash from the exclusion list and instead adding it to a blocklist.<\/p>\n The investigation began with the LevelBlue analyst receiving an alarm that a Windows Autorun registry key named \u201cChromeBrowserAutoLaunch\u201d had been added on an endpoint in the customer environment. While at first glance this appeared to be a key set to auto-launch Chrome with a browser extension loaded, analysis of the source process command line revealed several items that warranted further investigation.<\/p>\n\n Figure 1: The initial alarm for the autorun registry key creation<\/p>\nInvestigation<\/h3>\n
Initial Alarm Review<\/h4>\n