Merge pull request #4025 from nasbench/registry-rules-update

feat: registry rules update
2023-02-09 12:12:20 +01:00
parent 7676547486 8c1a5fb834
commit 135bd53b4c
16 changed files with 56 additions and 48 deletions
@@ -1,13 +1,13 @@
 title: Sysinternals SDelete Registry Keys
 id: 9841b233-8df8-4ad7-9133-b0b4402a9014
-status: experimental
+status: deprecated
 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
 references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/9
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
-modified: 2022/06/26
+modified: 2023/02/07
 tags:
    - attack.defense_evasion
    - attack.t1070.004
@@ -1,7 +1,7 @@
-title: NetWire RAT Registry Key
+title: Potential NetWire RAT Activity - Registry
 id: 1d218616-71b0-4c40-855b-9dbe75510f7f
 status: experimental
-description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
+description: Detects registry keys related to NetWire RAT
 references:
    - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
    - https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
@@ -10,19 +10,19 @@ references:
    - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
 author: Christopher Peacock
 date: 2021/10/07
-modified: 2022/06/26
+modified: 2023/02/07
 tags:
    - attack.defense_evasion
-    - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
+    - attack.t1112
 logsource:
    product: windows
    category: registry_add
 detection:
    selection:
        EventType: CreateKey
+        # The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
        TargetObject|contains: '\software\NetWire'
    condition: selection
 falsepositives:
    - Unknown
 level: high
-Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" Therefore I set <TargetObject condition="contains">netwire</TargetObjecct> in my configuration.
@@ -1,13 +1,13 @@
-title: Ursnif
+title: Potential Ursnif Malware Activity - Registry
 id: 21f17060-b282-4249-ade0-589ea3591558
 status: test
-description: Detects new registry key created by Ursnif malware.
+description: Detects registry keys related to Ursnif malware.
 references:
    - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
    - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
 author: megan201296
 date: 2019/02/13
-modified: 2022/10/09
+modified: 2023/02/07
 tags:
    - attack.execution
    - attack.t1112
@@ -1,4 +1,4 @@
-title: Persistence Via New AMSI Providers
+title: Potential Persistence Via New AMSI Providers - Registry
 id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
 status: experimental
 description: Detects when an attacker registers a new AMSI provider in order to achieve persistence
@@ -7,7 +7,7 @@ references:
    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/21
-modified: 2022/12/19
+modified: 2023/02/07
 tags:
    - attack.persistence
 logsource:
@@ -26,5 +26,5 @@ detection:
            - 'C:\Program Files (x86)\'
    condition: selection and not filter
 falsepositives:
-    - Legitimate security products adding their own AMSI providers
+    - Legitimate security products adding their own AMSI providers. Filter these according to your environnement
 level: high
@@ -1,4 +1,4 @@
-title: Windows Registry Persistence COM Key Linking
+title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
 id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
 status: experimental
 description: Detects COM object hijacking via TreatAs subkey
@@ -6,7 +6,7 @@ references:
    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
 author: Kutepov Anton, oscd.community
 date: 2019/10/23
-modified: 2022/09/29
+modified: 2023/02/07
 tags:
    - attack.persistence
    - attack.t1546.015
@@ -15,7 +15,7 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: 'CreateKey'  # don't want DeleteKey events
+        EventType: 'CreateKey'  # Don't want DeleteKey events
        TargetObject|contains|all:
            - 'HKU\'
            - 'Classes\CLSID\'
@@ -1,4 +1,4 @@
-title: Persistence Via Disk Cleanup Handler - NewEntry
+title: Potential Persistence Via Disk Cleanup Handler - Registry
 id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
 status: experimental
 description: |
@@ -13,6 +13,7 @@ references:
    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/21
+modified: 2023/02/07
 tags:
    - attack.persistence
 logsource:
@@ -1,4 +1,4 @@
-title: Logon Scripts Creation in UserInitMprLogonScript Registry
+title: Potential Persistence Via Logon Scripts - Registry
 id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
 status: test
 description: Detects creation of UserInitMprLogonScript persistence method
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
 author: Tom Ueltschi (@c_APT_ure)
 date: 2019/01/12
-modified: 2022/06/26
+modified: 2023/02/09
 tags:
    - attack.t1037.001
    - attack.persistence
@@ -1,12 +1,12 @@
-title: Usage of Sysinternals Tools - Registry
+title: PUA - Sysinternal Tool Execution - Registry
 id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
 status: experimental
-description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
+description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
 references:
    - https://twitter.com/Moti_B/status/1008587936735035392
 author: Markus Neis
 date: 2017/08/28
-modified: 2022/11/29
+modified: 2023/02/07
 tags:
    - attack.resource_development
    - attack.t1588.002
@@ -1,4 +1,4 @@
-title: Usage of Renamed Sysinternals Tools
+title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
 id: f50f3c09-557d-492d-81db-9064a8d4e211
 related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
@@ -6,12 +6,12 @@ related:
    - id: 8023f872-3f1d-4301-a384-801889917ab4
      type: similar
 status: experimental
-description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools
+description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
 references:
    - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/24
-modified: 2022/12/07
+modified: 2023/02/07
 tags:
    - attack.resource_development
    - attack.t1588.002
@@ -34,6 +34,7 @@ detection:
            - '\PsPasswd'
            - '\PsPing'
            - '\PsService'
+            - '\SDelete'
        TargetObject|endswith: '\EulaAccepted'
    filter:
        Image|endswith:
@@ -60,6 +61,7 @@ detection:
            - '\PsPing64.exe'
            - '\PsService.exe'
            - '\PsService64.exe'
+            - '\sdelete.exe'
    condition: selection and not filter
 falsepositives:
    - Unlikely
@@ -1,14 +1,17 @@
-title: Usage of Suspicious Sysinternals Tools
+title: PUA - Sysinternals Tools Execution - Registry
 id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
 related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
+    - id: 9841b233-8df8-4ad7-9133-b0b4402a9014
+      type: obsoletes
 status: experimental
-description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry
+description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
 references:
    - https://twitter.com/Moti_B/status/1008587936735035392
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/24
+modified: 2023/02/07
 tags:
    - attack.resource_development
    - attack.t1588.002
@@ -19,17 +22,18 @@ detection:
    selection:
        EventType: CreateKey
        TargetObject|contains:
-            - '\PsExec'
-            - '\ProcDump'
+            - '\Active Directory Explorer'
            - '\Handle'
            - '\LiveKd'
            - '\Process Explorer'
+            - '\ProcDump'
+            - '\PsExec'
            - '\PsLoglist'
            - '\PsPasswd'
-            - '\Active Directory Explorer'
+            - '\SDelete'
            - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
 falsepositives:
-    - Legitimate use of SysInternals tools
+    - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement
 level: medium
@@ -1,11 +1,12 @@
-title: Removal Of Folder From ProtectedFolders In Exploit Guard
+title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
 id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
 status: experimental
-description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process
+description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
 references:
    - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/05
+modified: 2023/02/08
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -18,5 +19,5 @@ detection:
        TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
    condition: selection
 falsepositives:
-    - Legitimate administrators removing applications (should always be monitored)
+    - Legitimate administrators removing applications (should always be investigated)
 level: high
@@ -1,4 +1,4 @@
-title: Terminal Server Client Connection History Cleared
+title: Terminal Server Client Connection History Cleared - Registry
 id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
 status: test
 description: Detects the deletion of registry keys containing the MSTSC connection history
@@ -8,7 +8,7 @@ references:
    - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
 author: Christian Burkard (Nextron Systems)
 date: 2021/10/19
-modified: 2022/03/26
+modified: 2023/02/08
 tags:
    - attack.defense_evasion
    - attack.t1070
@@ -1,26 +1,25 @@
-title: Removal Of Amsi Provider Reg Key
+title: Removal Of AMSI Provider Registry Keys
 id: 41d1058a-aea7-4952-9293-29eaaf516465
 status: test
-description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection
+description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://seclists.org/fulldisclosure/2020/Mar/45
 author: frack113
 date: 2021/06/07
-modified: 2022/03/26
+modified: 2023/02/08
 tags:
    - attack.defense_evasion
    - attack.t1562.001
 logsource:
    product: windows
    category: registry_delete
-    definition: key must be add to the sysmon configuration to works
 detection:
    selection:
        EventType: DeleteKey
        TargetObject|endswith:
-            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}'
-            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}'
+            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
+            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
    condition: selection
 falsepositives:
    - Unlikely
@@ -1,7 +1,9 @@
 title: Removal of Potential COM Hijacking Registry Keys
 id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
 status: test
-description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities.
+description: |
+    Detects any deletion of entries in ".*\shell\open\command" registry keys.
+    These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
 references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/7
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md
@@ -1,4 +1,4 @@
-title: Removal Of Index Value to Hide Schedule Task
+title: Removal Of Index Value to Hide Schedule Task - Registry
 id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
 related:
    - id: acd74772-5f88-45c7-956b-6a7b36c294d2
@@ -11,6 +11,7 @@ references:
    - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/26
+modified: 2023/02/08
 tags:
    - attack.defense_evasion
    - attack.t1562
@@ -1,8 +1,6 @@
-title: Removal Of SD Value to Hide Schedule Task
+title: Removal Of SD Value to Hide Schedule Task - Registry
 id: acd74772-5f88-45c7-956b-6a7b36c294d2
 related:
-    - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
-      type: similar
    - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
      type: similar
 status: experimental
@@ -11,13 +9,13 @@ references:
    - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
 author: Sittikorn S
 date: 2022/04/15
+modified: 2023/02/08
 tags:
    - attack.defense_evasion
    - attack.t1562
 logsource:
    product: windows
    category: registry_delete
-    definition: key must be added to the sysmon configuration for this rule to work
 detection:
    selection:
        EventType: DeleteKey