diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml b/rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml similarity index 95% rename from rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml rename to rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml index 211c88a8c..aa3791e74 100644 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml +++ b/rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml @@ -1,13 +1,13 @@ title: Sysinternals SDelete Registry Keys id: 9841b233-8df8-4ad7-9133-b0b4402a9014 -status: experimental +status: deprecated description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2022/06/26 +modified: 2023/02/07 tags: - attack.defense_evasion - attack.t1070.004 diff --git a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml similarity index 58% rename from rules/windows/registry/registry_add/registry_add_mal_netwire.yml rename to rules/windows/registry/registry_add/registry_add_malware_netwire.yml index 62e50e652..91b79089a 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -1,7 +1,7 @@ -title: NetWire RAT Registry Key +title: Potential NetWire RAT Activity - Registry id: 1d218616-71b0-4c40-855b-9dbe75510f7f status: experimental -description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire +description: Detects registry keys related to NetWire RAT references: - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing - https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/ @@ -10,19 +10,19 @@ references: - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ author: Christopher Peacock date: 2021/10/07 -modified: 2022/06/26 +modified: 2023/02/07 tags: - attack.defense_evasion - - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary + - attack.t1112 logsource: product: windows category: registry_add detection: selection: EventType: CreateKey + # The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary TargetObject|contains: '\software\NetWire' condition: selection falsepositives: - Unknown level: high -Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" Therefore I set netwire in my configuration. diff --git a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml b/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml similarity index 87% rename from rules/windows/registry/registry_add/registry_add_mal_ursnif.yml rename to rules/windows/registry/registry_add/registry_add_malware_ursnif.yml index 5321cd422..c7e322fe5 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml @@ -1,13 +1,13 @@ -title: Ursnif +title: Potential Ursnif Malware Activity - Registry id: 21f17060-b282-4249-ade0-589ea3591558 status: test -description: Detects new registry key created by Ursnif malware. +description: Detects registry keys related to Ursnif malware. references: - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ author: megan201296 date: 2019/02/13 -modified: 2022/10/09 +modified: 2023/02/07 tags: - attack.execution - attack.t1112 diff --git a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml similarity index 88% rename from rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml rename to rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml index 229e23af8..2e45fbd80 100644 --- a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -1,4 +1,4 @@ -title: Persistence Via New AMSI Providers +title: Potential Persistence Via New AMSI Providers - Registry id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 status: experimental description: Detects when an attacker registers a new AMSI provider in order to achieve persistence @@ -7,7 +7,7 @@ references: - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 -modified: 2022/12/19 +modified: 2023/02/07 tags: - attack.persistence logsource: @@ -26,5 +26,5 @@ detection: - 'C:\Program Files (x86)\' condition: selection and not filter falsepositives: - - Legitimate security products adding their own AMSI providers + - Legitimate security products adding their own AMSI providers. Filter these according to your environnement level: high diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml old mode 100755 new mode 100644 similarity index 86% rename from rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml rename to rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml index 18fe8717e..5d3f45221 --- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -1,4 +1,4 @@ -title: Windows Registry Persistence COM Key Linking +title: Potential COM Object Hijacking Via TreatAs Subkey - Registry id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 status: experimental description: Detects COM object hijacking via TreatAs subkey @@ -6,7 +6,7 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 -modified: 2022/09/29 +modified: 2023/02/07 tags: - attack.persistence - attack.t1546.015 @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - EventType: 'CreateKey' # don't want DeleteKey events + EventType: 'CreateKey' # Don't want DeleteKey events TargetObject|contains|all: - 'HKU\' - 'Classes\CLSID\' diff --git a/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml similarity index 96% rename from rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml rename to rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 8d74e0da0..09192a552 100644 --- a/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -1,4 +1,4 @@ -title: Persistence Via Disk Cleanup Handler - NewEntry +title: Potential Persistence Via Disk Cleanup Handler - Registry id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a status: experimental description: | @@ -13,6 +13,7 @@ references: - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 +modified: 2023/02/07 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml similarity index 88% rename from rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml rename to rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index 1c6f91361..c4f117ab2 100644 --- a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -1,4 +1,4 @@ -title: Logon Scripts Creation in UserInitMprLogonScript Registry +title: Potential Persistence Via Logon Scripts - Registry id: 9ace0707-b560-49b8-b6ca-5148b42f39fb status: test description: Detects creation of UserInitMprLogonScript persistence method @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 -modified: 2022/06/26 +modified: 2023/02/09 tags: - attack.t1037.001 - attack.persistence diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml old mode 100755 new mode 100644 similarity index 74% rename from rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml rename to rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index df087b4c1..4706b5d67 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -1,12 +1,12 @@ -title: Usage of Sysinternals Tools - Registry +title: PUA - Sysinternal Tool Execution - Registry id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: experimental -description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry +description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis date: 2017/08/28 -modified: 2022/11/29 +modified: 2023/02/07 tags: - attack.resource_development - attack.t1588.002 diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml similarity index 84% rename from rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml rename to rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index 7ad63984a..1e2a436e6 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -1,4 +1,4 @@ -title: Usage of Renamed Sysinternals Tools +title: Suspicious Execution Of Renamed Sysinternals Tools - Registry id: f50f3c09-557d-492d-81db-9064a8d4e211 related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 @@ -6,12 +6,12 @@ related: - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar status: experimental -description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools +description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 -modified: 2022/12/07 +modified: 2023/02/07 tags: - attack.resource_development - attack.t1588.002 @@ -34,6 +34,7 @@ detection: - '\PsPasswd' - '\PsPing' - '\PsService' + - '\SDelete' TargetObject|endswith: '\EulaAccepted' filter: Image|endswith: @@ -60,6 +61,7 @@ detection: - '\PsPing64.exe' - '\PsService.exe' - '\PsService64.exe' + - '\sdelete.exe' condition: selection and not filter falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml similarity index 67% rename from rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml rename to rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index 2ba030176..9a32ffecd 100644 --- a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -1,14 +1,17 @@ -title: Usage of Suspicious Sysinternals Tools +title: PUA - Sysinternals Tools Execution - Registry id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 type: derived + - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 + type: obsoletes status: experimental -description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry +description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 +modified: 2023/02/07 tags: - attack.resource_development - attack.t1588.002 @@ -19,17 +22,18 @@ detection: selection: EventType: CreateKey TargetObject|contains: - - '\PsExec' - - '\ProcDump' + - '\Active Directory Explorer' - '\Handle' - '\LiveKd' - '\Process Explorer' + - '\ProcDump' + - '\PsExec' - '\PsLoglist' - '\PsPasswd' - - '\Active Directory Explorer' + - '\SDelete' - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400 TargetObject|endswith: '\EulaAccepted' condition: selection falsepositives: - - Legitimate use of SysInternals tools + - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement level: medium diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index ee57fbdae..37fffeeae 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -1,11 +1,12 @@ -title: Removal Of Folder From ProtectedFolders In Exploit Guard +title: Folder Removed From Exploit Guard ProtectedFolders List - Registry id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40 status: experimental -description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process +description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1562.001 @@ -18,5 +19,5 @@ detection: TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders' condition: selection falsepositives: - - Legitimate administrators removing applications (should always be monitored) + - Legitimate administrators removing applications (should always be investigated) level: high diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index bf9d4c827..92895090a 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -1,4 +1,4 @@ -title: Terminal Server Client Connection History Cleared +title: Terminal Server Client Connection History Cleared - Registry id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d status: test description: Detects the deletion of registry keys containing the MSTSC connection history @@ -8,7 +8,7 @@ references: - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html author: Christian Burkard (Nextron Systems) date: 2021/10/19 -modified: 2022/03/26 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1070 diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index b25948274..84770ee4c 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -1,26 +1,25 @@ -title: Removal Of Amsi Provider Reg Key +title: Removal Of AMSI Provider Registry Keys id: 41d1058a-aea7-4952-9293-29eaaf516465 status: test -description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection +description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://seclists.org/fulldisclosure/2020/Mar/45 author: frack113 date: 2021/06/07 -modified: 2022/03/26 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1562.001 logsource: product: windows category: registry_delete - definition: key must be add to the sysmon configuration to works detection: selection: EventType: DeleteKey TargetObject|endswith: - - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' - - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' + - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus + - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll condition: selection falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 7a355807e..535200c2d 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -1,7 +1,9 @@ title: Removal of Potential COM Hijacking Registry Keys id: 96f697b0-b499-4e5d-9908-a67bec11cdb6 status: test -description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities. +description: | + Detects any deletion of entries in ".*\shell\open\command" registry keys. + These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml similarity index 92% rename from rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml rename to rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index 77d0c1f3b..04f68324f 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -1,4 +1,4 @@ -title: Removal Of Index Value to Hide Schedule Task +title: Removal Of Index Value to Hide Schedule Task - Registry id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec related: - id: acd74772-5f88-45c7-956b-6a7b36c294d2 @@ -11,6 +11,7 @@ references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/26 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1562 diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml similarity index 80% rename from rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml rename to rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index a0cdb326d..4cb5739aa 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -1,8 +1,6 @@ -title: Removal Of SD Value to Hide Schedule Task +title: Removal Of SD Value to Hide Schedule Task - Registry id: acd74772-5f88-45c7-956b-6a7b36c294d2 related: - - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61 - type: similar - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec type: similar status: experimental @@ -11,13 +9,13 @@ references: - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ author: Sittikorn S date: 2022/04/15 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1562 logsource: product: windows category: registry_delete - definition: key must be added to the sysmon configuration for this rule to work detection: selection: EventType: DeleteKey