Honeycomb Registry Hive

Engage Goals: EGO0001 Expose

Engage Approach: EAP0002 Detect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Honeycomb Registry Hive

Description of Element:

Create a decoy registry hive containing fabricated registry keys and values that mimic legitimate system configurations but contain misleading or deceptive information. Monitor access to this hive to identify attackers attempting to gather system information or modify registry settings.

Technical Context:

Placement: Mounted as a temporary or hidden registry hive within the Windows Registry.

Create a registry hive file using the reg save command or by programmatically creating registry keys and values. Populate the hive with decoy keys that mimic legitimate system configurations, such as entries under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun pointing to non-existent executables or keys under HKLMSYSTEMCurrentControlSetServices with misleading configuration data. Use the RegLoadKey function to load the hive into the registry with a unique and inconspicuous name (e.g., HKU.DEFAULTTempHive). Implement a kernel-mode driver or user-mode hook to monitor registry access and log any attempts to query or modify keys within the decoy hive. Consider using the RegNotifyChangeKeyValue function to receive notifications about changes to specific keys.

Other:

Att&ck/Engage Mapping: T1012 Query Registry, E1504 Decoy Content

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense