Maeve Mulholland,
Tim Nary,
and
Fred Frey
Playing Cat and Mouse with the Attacker: Frequent Item Set Mining in the Registry (pdf, video)
In this work we demonstrate a method for mining registry data for signals associated with a target behavior. This methodology allows threat researchers to identify immutable signatures of a behavior without intensive processing of registry logs. We present a strategy for normalizing registry keys and then clustering them in order to make a registry log amenable to frequent item set mining. We show that by recording scripted instances of a behavior of interest, one can generate a set of time-bounded registry logs that can be mined for keys that are linked to the behavior of interest. Application of this methodology in a threat persistence scenario shows that the key associated with four different attack techniques can be easily extracted from a raw registry log with only an example script of the techniques and no prior knowledge of what the techniques entail.