Registry Wiper functionality assoicated with CRASHOVERRIDE

Hunt Hypothesis

Adversaries may use registry wiper functionality associated with CRASHOVERRIDE to erase forensic evidence and disrupt system operations. Proactively hunting for this behavior in Azure Sentinel can help identify early-stage malware activity and prevent data loss or system compromise.

YARA Rule

rule dragos_crashoverride_wiperModuleRegistry {
    meta:
        description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
		reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
    strings:
        $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
        $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
        $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., Task Scheduler job) is configured to clean up temporary registry entries as part of routine system maintenance.
  Filter/Exclusion: Check for Task Scheduler origin, use ImageLoaded or CommandLine fields to identify known maintenance tools (e.g., cleanmgr.exe, regedit.exe with specific command-line arguments).

• Scenario: Admin User Performing Registry Cleanup
  Description: A system administrator manually runs a registry cleanup tool (e.g., CCleaner, Wise Registry Cleaner) to remove obsolete entries.
  Filter/Exclusion: Filter by User field to identify admin accounts, or use ProcessName to exclude known cleanup tools.

• Scenario: Windows Update or Group Policy Deployment
  Description: A registry wipe occurs as part of a Windows Update or Group Policy change that modifies registry settings.
  Filter/Exclusion: Check for Windows Update or Group Policy related processes (e.g., wuauclt.exe, gpupdate.exe) in the ParentProcessName or CommandLine.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus or endpoint protection tool (e.g., Windows Defender, Bitdefender, Kaspersky) temporarily modifies registry entries during a scan or quarantine process.
  Filter/Exclusion: Filter by ProcessName to exclude known security tools, or check for Antivirus in the ProcessName or CommandLine.

• Scenario: PowerShell Script for Registry Optimization
  Description: A PowerShell script (e.g., Optimize-Registry.ps1) is run by an admin to remove unused registry keys as part of performance tuning.
  Filter/Exclusion: Filter by `ProcessName