security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a0bad54dbda170d5369f54ccede5f11f999da4de
blue-team-tools/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
T

26 lines
816 B
YAML
Raw Normal View History

added new rules
2019-10-25 18:01:36 +03:00
title: Windows Registry Persistence - COM key linking
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
added new rules
2019-10-25 18:01:36 +03:00
status: experimental
description: Detects COM object hijacking via TreatAs subkey
references:
- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019/10/23
Update sysmon_registry_persistence_key_linking.yml
2019-11-07 04:23:20 +03:00
modified: 2019/11/07
added new rules
2019-10-25 18:01:36 +03:00
tags:
- attack.persistence
- attack.t1122
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 12
Update sysmon_registry_persistence_key_linking.yml
2019-11-07 04:23:20 +03:00
TargetObject|startswith: 'HKU\'
TargetObject|contains: '_Classes\CLSID\'
TargetObject|endswith: '\TreatAs'
added new rules
2019-10-25 18:01:36 +03:00
condition: selection
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compability
level: medium
Reference in New Issue Copy Permalink