From 0c718d5ce7c3af0e0d8feb5445f96efe2322fe04 Mon Sep 17 00:00:00 2001
From: Sander <s1107498@student.hsleiden.nl>
Date: Thu, 15 Oct 2020 18:14:56 +0200
Subject: [PATCH] Created Win Regedit import rules

---
 .../win_regedit_import_keys.yml               | 35 +++++++++++++++++++
 .../win_regedit_import_keys_ads.yml           | 35 +++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 rules/windows/process_creation/win_regedit_import_keys.yml
 create mode 100644 rules/windows/process_creation/win_regedit_import_keys_ads.yml

diff --git a/rules/windows/process_creation/win_regedit_import_keys.yml b/rules/windows/process_creation/win_regedit_import_keys.yml
new file mode 100644
index 000000000..176da7f72
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_import_keys.yml
@@ -0,0 +1,35 @@
+title: Imports Registry Key From a File
+id: 73bba97f-a82d-42ce-b315-9182e76c57b1
+status: experimental
+description: Detects the import of the specified file to the registry with regedit.exe.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+    - attack.t1112
+    - attack.defense_evasion
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\regedit.exe'
+        CommandLine|contains:
+            - ' /i '
+            - '.reg'
+    filter:
+        CommandLine|contains:
+            - ' /e '
+            - ' /a '
+            - ' /c '
+    filter_2:
+        CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
+    condition: selection and not filter and not filter_2
+fields:
+    - ParentImage
+    - CommandLine
+falsepositives:
+    - Legitimate import of keys
+level: medium
diff --git a/rules/windows/process_creation/win_regedit_import_keys_ads.yml b/rules/windows/process_creation/win_regedit_import_keys_ads.yml
new file mode 100644
index 000000000..2d347763a
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_import_keys_ads.yml
@@ -0,0 +1,35 @@
+title: Imports Registry Key From an ADS
+id: 0b80ade5-6997-4b1d-99a1-71701778ea61
+status: experimental
+description: Detects the import of a alternate datastream to the registry with regedit.exe.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+    - attack.t1112
+    - attack.defense_evasion
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\regedit.exe'
+        CommandLine|contains:
+            - ' /i '
+            - '.reg'
+    selection_2:
+        CommandLine|re: ':[^ \\]'
+    filter:
+        CommandLine|contains:
+            - ' /e '
+            - ' /a '
+            - ' /c '
+    condition: selection and selection_2 and not filter
+fields:
+    - ParentImage
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high