diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml index ae48ef5e2..ee4a492b2 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml @@ -15,7 +15,7 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml similarity index 90% rename from rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml rename to rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index be96ca227..a3c75e5a4 100644 --- a/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -4,7 +4,7 @@ status: experimental description: Detects disabling the CrashDump per registry (as used by HermeticWiper) author: Tobias Michalski date: 2022/02/24 -modified: 2022/03/26 +modified: 2022/08/23 references: - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ logsource: @@ -12,6 +12,7 @@ logsource: category: registry_set detection: selection: + EventType: SetValue TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl' Details: 'DWORD (0x00000000)' condition: selection diff --git a/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml similarity index 92% rename from rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml rename to rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 08a48fe20..7a9c52e09 100644 --- a/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -4,7 +4,7 @@ status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum author: Sittikorn S, frack113 date: 2021/07/16 -modified: 2022/06/29 +modified: 2022/08/23 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -17,9 +17,10 @@ tags: # - threat_group.Sourgum logsource: product: windows - category: registry_event + category: registry_set detection: selection: + EventType: SetValue TargetObject|endswith: - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default) - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default) diff --git a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml similarity index 91% rename from rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml rename to rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml index 572e3ba60..38ea828ff 100755 --- a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml @@ -6,7 +6,7 @@ description: Detects the installation of a plugin DLL via ServerLevelPluginDll p references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 -modified: 2021/09/12 +modified: 2022/08/23 author: Florian Roth tags: - attack.defense_evasion @@ -14,9 +14,10 @@ tags: - attack.t1112 logsource: product: windows - category: registry_event + category: registry_set detection: selection: + EventType: SetValue TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: selection fields: