security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3429 from frack113/clean_reg

Browse Source 
registry_event Clean up
This commit is contained in:
Florian Roth
2022-08-25 08:39:37 +02:00
committed by GitHub
parent 5cf940c0a8 583155df30
commit 0b0dc5a65e
4 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
+1 -1
View File
@@ -15,7 +15,7 @@ logsource:
category: registry_event
product: windows
detection:
selection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
condition: selection
falsepositives:
rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml → rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml
+2 -1
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
author: Tobias Michalski
date: 2022/02/24
modified: 2022/03/26
modified: 2022/08/23
references:
- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
logsource:
@@ -12,6 +12,7 @@ logsource:
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
Details: 'DWORD (0x00000000)'
condition: selection
rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml → rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml
+3 -2
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
author: Sittikorn S, frack113
date: 2021/07/16
modified: 2022/06/29
modified: 2022/08/23
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
@@ -17,9 +17,10 @@ tags:
# - threat_group.Sourgum
logsource:
product: windows
category: registry_event
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|endswith:
- CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
- CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml → rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml
+3 -2
View File
@@ -6,7 +6,7 @@ description: Detects the installation of a plugin DLL via ServerLevelPluginDll p
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
date: 2017/05/08
modified: 2021/09/12
modified: 2022/08/23
author: Florian Roth
tags:
- attack.defense_evasion
@@ -14,9 +14,10 @@ tags:
- attack.t1112
logsource:
product: windows
category: registry_event
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
condition: selection
fields: