fix_net_profile_analytic #3689
Open
fix_net_profile_analytic #3689
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nasbench
reviewed
Sep 22, 2025
| author: Teoderick Contreras, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects attempts to modify the Windows Registry to change a network profile's category to "Private", which may indicate an adversary is preparing the environment for lateral movement or reducing firewall restrictions. Specifically, this activity involves changes to the Category value within the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID} registry path. A value of 1 corresponds to a private network profile, which typically enables less restrictive firewall policies. While this action can occur during legitimate network configuration, it may also be a sign of malicious behavior when combined with other indicators such as suspicious account activity, unexpected administrative privilege usage, or execution of unsigned binaries. Monitoring for this registry modification—especially outside standard IT processes or correlated with persistence mechanisms—can help identify stealthy post-exploitation activity. | ||
| description: The following analytic detects attempts to modify the Windows Registry to change a network profile's category to "Private", which may indicate an adversary is preparing the environment for lateral movement or reducing firewall restrictions. Specifically, this activity involves changes to the Category value within the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID} registry path. This Category value is a REG_DWORD that defines the network type, where 0 typically represents a Public Network, 1 represents a Private Network, and 2 represents a Domain Network. Each of these network classifications dictates distinct default firewall policies and network discovery settings, meaning that modifications to this value can significantly alter the host's security posture by enabling or disabling network access for various services and applications. For instance, a change from a Public to a Private profile often leads to less restrictive firewall policies, potentially exposing more services to the network. While such registry modifications can occur during legitimate network configuration, they may also signal malicious behavior, especially when correlated with other suspicious activities like unusual account activity, unexpected administrative privilege usage, or the execution of unsigned binaries. Therefore, monitoring for these specific registry modifications, particularly when they occur outside of standard IT processes or in conjunction with persistence mechanisms, is crucial for identifying stealthy post-exploitation activity. | ||
| data_source: | ||
| - Sysmon EventID 13 | ||
| search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry |
There was a problem hiding this comment.
I assume the rule is looking for changes to a Private profile as described from the ref blog? If so then the value should be 0x00000001.
There was a problem hiding this comment.
hmm base on microsoft blog the malware modification made was zero but they say it is private. I think they have some typo on describing the ttp's
There was a problem hiding this comment.
Yes that a typo in the blog. The docs say
0 = public
1 = private
There was a problem hiding this comment.
@tccontre just a quick ping so that we can get this PR merged.
detections/endpoint/windows_set_public_network_profile_via_registry.yml
Outdated
Show resolved
Hide resolved
detections/endpoint/windows_set_network_profile_category_to_public_via_registry.yml
Show resolved
Hide resolved
Removed deprecated analytic story for web fraud detection.
nasbench
approved these changes
Oct 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Details
What does this PR have in it? Screenshots are worth 1000 words 😄
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.