security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update some registry rules

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-08-05 00:39:32 +01:00
parent f2bec5c6af
commit 07e55593c3
5 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml
+3 -3
View File
@@ -7,7 +7,7 @@ references:
- https://redcanary.com/threat-detection-report/threats/qbot/
author: frack113
date: 2022/02/13
modified: 2022/07/28
modified: 2022/08/05
logsource:
category: process_creation
product: windows
@@ -15,8 +15,8 @@ detection:
selection:
Image|endswith: \reg.exe
CommandLine|contains:
- 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
- 'HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
- 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
- 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
CommandLine|contains|all:
- 'ADD '
- '/t '
rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml
+3 -3
View File
@@ -6,12 +6,12 @@ references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
author: Florian Roth
date: 2022/03/22
modified: 2022/05/09
modified: 2022/08/05
logsource:
category: process_creation
product: windows
detection:
selection:
selection_reg:
Image|endswith: \reg.exe
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\'
@@ -23,7 +23,7 @@ detection:
CommandLine|contains:
- 'Real-Time Protection'
- 'TamperProtection'
condition: selection and selection_target
condition: all of selection_*
falsepositives:
- Legitimate use
level: high
rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml
+2 -1
View File
@@ -9,6 +9,7 @@ tags:
- attack.t1486
author: frack113
date: 2021/11/15
modified: 2022/08/05
logsource:
category: process_creation
product: windows
@@ -17,7 +18,7 @@ detection:
CommandLine|contains|all:
- 'REG'
- 'ADD'
- 'HKLM\SOFTWARE\Policies\Microsoft\FVE'
- '\SOFTWARE\Policies\Microsoft\FVE'
- '/v'
- '/f'
key:
rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml
+2 -2
View File
@@ -4,7 +4,7 @@ description: Looks for changes to registry to disable any write-protect property
status: experimental
author: Sreeman
date: 2021/06/11
modified: 2022/03/07
modified: 2022/08/05
logsource:
product: windows
category: process_creation
@@ -12,7 +12,7 @@ detection:
selection:
CommandLine|contains|all:
- 'reg add'
- 'hklm\system\currentcontrolset\control'
- '\system\currentcontrolset\control'
- 'write protection'
- '0'
CommandLine|contains:
rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml
+2 -2
View File
@@ -3,7 +3,7 @@ id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
description: Sysmon registry detection of a local hidden user account.
status: experimental
date: 2021/05/03
modified: 2022/06/02
modified: 2022/08/05
author: Christian Burkard
tags:
- attack.persistence
@@ -15,7 +15,7 @@ logsource:
category: registry_event
detection:
selection:
TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\'
TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
TargetObject|endswith: '$'
Image|endswith: '\lsass.exe'
condition: selection