From 3ec159a400329333ba29fe8ea2a428ccba47fafd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 8 Feb 2023 00:37:22 +0100 Subject: [PATCH 1/5] feat: update `registry_add` rules --- ...ry_add_sysinternals_sdelete_registry_keys.yml | 4 ++-- ...wire.yml => registry_add_malware_netwire.yml} | 10 +++++----- ...rsnif.yml => registry_add_malware_ursnif.yml} | 6 +++--- ... registry_add_persistence_amsi_providers.yml} | 6 +++--- ...registry_add_persistence_com_key_linking.yml} | 6 +++--- ...d_persistence_disk_cleanup_handler_entry.yml} | 3 ++- ...nce_logon_scripts_userinitmprlogonscript.yml} | 2 +- ..._add_pua_sysinternals_execution_via_eula.yml} | 6 +++--- ..._sysinternals_renamed_execution_via_eula.yml} | 8 +++++--- ...pua_sysinternals_susp_execution_via_eula.yml} | 16 ++++++++++------ 10 files changed, 37 insertions(+), 30 deletions(-) rename {rules/windows/registry/registry_add => rules-deprecated/windows}/registry_add_sysinternals_sdelete_registry_keys.yml (95%) rename rules/windows/registry/registry_add/{registry_add_mal_netwire.yml => registry_add_malware_netwire.yml} (58%) rename rules/windows/registry/registry_add/{registry_add_mal_ursnif.yml => registry_add_malware_ursnif.yml} (87%) rename rules/windows/registry/registry_add/{registry_add_amsi_providers_persistence.yml => registry_add_persistence_amsi_providers.yml} (88%) rename rules/windows/registry/registry_add/{registry_add_persistence_key_linking.yml => registry_add_persistence_com_key_linking.yml} (86%) mode change 100755 => 100644 rename rules/windows/registry/registry_add/{registry_add_disk_cleanup_handler_new_entry_persistence.yml => registry_add_persistence_disk_cleanup_handler_entry.yml} (96%) rename rules/windows/registry/registry_add/{registry_add_logon_scripts_userinitmprlogonscript_reg.yml => registry_add_persistence_logon_scripts_userinitmprlogonscript.yml} (91%) rename rules/windows/registry/registry_add/{registry_add_sysinternals_eula_accepted.yml => registry_add_pua_sysinternals_execution_via_eula.yml} (74%) mode change 100755 => 100644 rename rules/windows/registry/registry_add/{registry_add_renamed_sysinternals_eula_accepted.yml => registry_add_pua_sysinternals_renamed_execution_via_eula.yml} (86%) rename rules/windows/registry/registry_add/{registry_add_susp_sysinternals_eula_accepted.yml => registry_add_pua_sysinternals_susp_execution_via_eula.yml} (67%) diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml b/rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml similarity index 95% rename from rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml rename to rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml index 8e31f3caf..2b84cdaf5 100644 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml +++ b/rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml @@ -1,13 +1,13 @@ title: Sysinternals SDelete Registry Keys id: 9841b233-8df8-4ad7-9133-b0b4402a9014 -status: experimental +status: deprecated description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2022/06/26 +modified: 2023/02/07 tags: - attack.defense_evasion - attack.t1070.004 diff --git a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml similarity index 58% rename from rules/windows/registry/registry_add/registry_add_mal_netwire.yml rename to rules/windows/registry/registry_add/registry_add_malware_netwire.yml index 62e50e652..4fdae99dd 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -1,7 +1,7 @@ -title: NetWire RAT Registry Key +title: Potential NetWire RAT Activity - Registry id: 1d218616-71b0-4c40-855b-9dbe75510f7f status: experimental -description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire +description: Detect registry keys related to NetWire RAT references: - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing - https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/ @@ -10,19 +10,19 @@ references: - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ author: Christopher Peacock date: 2021/10/07 -modified: 2022/06/26 +modified: 2023/02/07 tags: - attack.defense_evasion - - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary + - attack.t1112 logsource: product: windows category: registry_add detection: selection: EventType: CreateKey + # The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary TargetObject|contains: '\software\NetWire' condition: selection falsepositives: - Unknown level: high -Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" Therefore I set netwire in my configuration. diff --git a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml b/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml similarity index 87% rename from rules/windows/registry/registry_add/registry_add_mal_ursnif.yml rename to rules/windows/registry/registry_add/registry_add_malware_ursnif.yml index 5321cd422..2e29c59d0 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml @@ -1,13 +1,13 @@ -title: Ursnif +title: Potential Ursnif Malware Activity - Registry id: 21f17060-b282-4249-ade0-589ea3591558 status: test -description: Detects new registry key created by Ursnif malware. +description: Detect registry keys related to Ursnif malware. references: - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ author: megan201296 date: 2019/02/13 -modified: 2022/10/09 +modified: 2023/02/07 tags: - attack.execution - attack.t1112 diff --git a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml similarity index 88% rename from rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml rename to rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml index 229e23af8..2e45fbd80 100644 --- a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -1,4 +1,4 @@ -title: Persistence Via New AMSI Providers +title: Potential Persistence Via New AMSI Providers - Registry id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 status: experimental description: Detects when an attacker registers a new AMSI provider in order to achieve persistence @@ -7,7 +7,7 @@ references: - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 -modified: 2022/12/19 +modified: 2023/02/07 tags: - attack.persistence logsource: @@ -26,5 +26,5 @@ detection: - 'C:\Program Files (x86)\' condition: selection and not filter falsepositives: - - Legitimate security products adding their own AMSI providers + - Legitimate security products adding their own AMSI providers. Filter these according to your environnement level: high diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml old mode 100755 new mode 100644 similarity index 86% rename from rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml rename to rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml index 18fe8717e..5d3f45221 --- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -1,4 +1,4 @@ -title: Windows Registry Persistence COM Key Linking +title: Potential COM Object Hijacking Via TreatAs Subkey - Registry id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 status: experimental description: Detects COM object hijacking via TreatAs subkey @@ -6,7 +6,7 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 -modified: 2022/09/29 +modified: 2023/02/07 tags: - attack.persistence - attack.t1546.015 @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - EventType: 'CreateKey' # don't want DeleteKey events + EventType: 'CreateKey' # Don't want DeleteKey events TargetObject|contains|all: - 'HKU\' - 'Classes\CLSID\' diff --git a/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml similarity index 96% rename from rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml rename to rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 8d74e0da0..09192a552 100644 --- a/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -1,4 +1,4 @@ -title: Persistence Via Disk Cleanup Handler - NewEntry +title: Potential Persistence Via Disk Cleanup Handler - Registry id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a status: experimental description: | @@ -13,6 +13,7 @@ references: - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 +modified: 2023/02/07 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml similarity index 91% rename from rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml rename to rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index 1c6f91361..3ed507238 100644 --- a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -1,4 +1,4 @@ -title: Logon Scripts Creation in UserInitMprLogonScript Registry +title: Potential Persistence Via Logon Scripts - Registry id: 9ace0707-b560-49b8-b6ca-5148b42f39fb status: test description: Detects creation of UserInitMprLogonScript persistence method diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml old mode 100755 new mode 100644 similarity index 74% rename from rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml rename to rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index df087b4c1..4706b5d67 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -1,12 +1,12 @@ -title: Usage of Sysinternals Tools - Registry +title: PUA - Sysinternal Tool Execution - Registry id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: experimental -description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry +description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis date: 2017/08/28 -modified: 2022/11/29 +modified: 2023/02/07 tags: - attack.resource_development - attack.t1588.002 diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml similarity index 86% rename from rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml rename to rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index 7ad63984a..e75646f43 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -1,4 +1,4 @@ -title: Usage of Renamed Sysinternals Tools +title: Suspicious Execution Of Renamed Sysinternals Tools - Registry id: f50f3c09-557d-492d-81db-9064a8d4e211 related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 @@ -6,12 +6,12 @@ related: - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar status: experimental -description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools +description: Detects the creation of the "accepteula" key related to the sysinternals tools being created from non-sysinternals tools references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 -modified: 2022/12/07 +modified: 2023/02/07 tags: - attack.resource_development - attack.t1588.002 @@ -34,6 +34,7 @@ detection: - '\PsPasswd' - '\PsPing' - '\PsService' + - '\SDelete' TargetObject|endswith: '\EulaAccepted' filter: Image|endswith: @@ -60,6 +61,7 @@ detection: - '\PsPing64.exe' - '\PsService.exe' - '\PsService64.exe' + - '\sdelete.exe' condition: selection and not filter falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml similarity index 67% rename from rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml rename to rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index 2ba030176..32c57a386 100644 --- a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -1,14 +1,17 @@ -title: Usage of Suspicious Sysinternals Tools +title: PUA - Sysinternals Tools Execution - Registry id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 type: derived + - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 + type: obsoletes status: experimental -description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry +description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump...etc (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 +modified: 2023/02/07 tags: - attack.resource_development - attack.t1588.002 @@ -19,17 +22,18 @@ detection: selection: EventType: CreateKey TargetObject|contains: - - '\PsExec' - - '\ProcDump' + - '\Active Directory Explorer' - '\Handle' - '\LiveKd' - '\Process Explorer' + - '\ProcDump' + - '\PsExec' - '\PsLoglist' - '\PsPasswd' - - '\Active Directory Explorer' + - '\SDelete' - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400 TargetObject|endswith: '\EulaAccepted' condition: selection falsepositives: - - Legitimate use of SysInternals tools + - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement level: medium From 8851420b9293dc5d2a3c158123b60f0614e9a037 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 8 Feb 2023 12:48:51 +0100 Subject: [PATCH 2/5] feat: update `registry_delete` rules --- ...gistry_delete_exploit_guard_protected_folders.yml | 7 ++++--- .../registry_delete_mstsc_history_cleared.yml | 4 ++-- .../registry_delete_removal_amsi_registry_key.yml | 12 ++++++------ ...try_delete_removal_com_hijacking_registry_key.yml | 2 +- ...e_schtasks_hide_task_via_index_value_removal.yml} | 4 +++- ...lete_schtasks_hide_task_via_sd_value_removal.yml} | 7 +++---- 6 files changed, 19 insertions(+), 17 deletions(-) rename rules/windows/registry/registry_delete/{registry_delete_removal_index_value_scheduled_task_hide.yml => registry_delete_schtasks_hide_task_via_index_value_removal.yml} (80%) rename rules/windows/registry/registry_delete/{registry_delete_removal_sd_value_scheduled_task_hide.yml => registry_delete_schtasks_hide_task_via_sd_value_removal.yml} (77%) diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index ee57fbdae..33ddff3a3 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -1,11 +1,12 @@ -title: Removal Of Folder From ProtectedFolders In Exploit Guard +title: Folder Removed From Exploit Guard ProtectedFolders List - Registry id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40 status: experimental -description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process +description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1562.001 @@ -18,5 +19,5 @@ detection: TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders' condition: selection falsepositives: - - Legitimate administrators removing applications (should always be monitored) + - Legitimate administrators removing applications (should always be investigated) level: high diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index bf9d4c827..92895090a 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -1,4 +1,4 @@ -title: Terminal Server Client Connection History Cleared +title: Terminal Server Client Connection History Cleared - Registry id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d status: test description: Detects the deletion of registry keys containing the MSTSC connection history @@ -8,7 +8,7 @@ references: - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html author: Christian Burkard (Nextron Systems) date: 2021/10/19 -modified: 2022/03/26 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1070 diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index b25948274..27dbbeba0 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -1,26 +1,26 @@ -title: Removal Of Amsi Provider Reg Key +title: Removal Of AMSI Provider Registry Keys id: 41d1058a-aea7-4952-9293-29eaaf516465 status: test -description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection +description: Detects the deletion of AMSI providers registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://seclists.org/fulldisclosure/2020/Mar/45 author: frack113 date: 2021/06/07 -modified: 2022/03/26 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1562.001 logsource: product: windows category: registry_delete - definition: key must be add to the sysmon configuration to works + definition: 'Requirements: the following registry key must be added to a sysmon configuration or your monitoring solution in order for this rule to work' detection: selection: EventType: DeleteKey TargetObject|endswith: - - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' - - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' + - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus + - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll condition: selection falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 7a355807e..82f0de6f6 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -1,7 +1,7 @@ title: Removal of Potential COM Hijacking Registry Keys id: 96f697b0-b499-4e5d-9908-a67bec11cdb6 status: test -description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities. +description: Detects any deletion of entries in ".*\shell\open\command" registry key. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove it's tracks. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml similarity index 80% rename from rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml rename to rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index 77d0c1f3b..300116ee3 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -1,4 +1,4 @@ -title: Removal Of Index Value to Hide Schedule Task +title: Removal Of Index Value to Hide Schedule Task - Registry id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec related: - id: acd74772-5f88-45c7-956b-6a7b36c294d2 @@ -11,12 +11,14 @@ references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/26 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1562 logsource: product: windows category: registry_delete + definition: 'Requirements: the following registry key must be added to a sysmon configuration or your monitoring solution in order for this rule to work' detection: selection: EventType: DeleteKey diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml similarity index 77% rename from rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml rename to rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index a0cdb326d..87fd2951f 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -1,8 +1,6 @@ -title: Removal Of SD Value to Hide Schedule Task +title: Removal Of SD Value to Hide Schedule Task - Registry id: acd74772-5f88-45c7-956b-6a7b36c294d2 related: - - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61 - type: similar - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec type: similar status: experimental @@ -11,13 +9,14 @@ references: - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ author: Sittikorn S date: 2022/04/15 +modified: 2023/02/08 tags: - attack.defense_evasion - attack.t1562 logsource: product: windows category: registry_delete - definition: key must be added to the sysmon configuration for this rule to work + definition: 'Requirements: the following registry key must be added to a sysmon configuration or your monitoring solution in order for this rule to work' detection: selection: EventType: DeleteKey From 0c581fb62ac4158d4889b7c65674f3eb31280f37 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 9 Feb 2023 10:31:11 +0100 Subject: [PATCH 3/5] fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../registry/registry_add/registry_add_malware_netwire.yml | 2 +- .../registry/registry_add/registry_add_malware_ursnif.yml | 2 +- ...gistry_add_pua_sysinternals_renamed_execution_via_eula.yml | 2 +- .../registry_add_pua_sysinternals_susp_execution_via_eula.yml | 2 +- .../registry_delete_exploit_guard_protected_folders.yml | 2 +- .../registry_delete_removal_amsi_registry_key.yml | 2 +- .../registry_delete_removal_com_hijacking_registry_key.yml | 4 +++- 7 files changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml index 4fdae99dd..91b79089a 100644 --- a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -1,7 +1,7 @@ title: Potential NetWire RAT Activity - Registry id: 1d218616-71b0-4c40-855b-9dbe75510f7f status: experimental -description: Detect registry keys related to NetWire RAT +description: Detects registry keys related to NetWire RAT references: - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing - https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/ diff --git a/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml b/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml index 2e29c59d0..c7e322fe5 100644 --- a/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml @@ -1,7 +1,7 @@ title: Potential Ursnif Malware Activity - Registry id: 21f17060-b282-4249-ade0-589ea3591558 status: test -description: Detect registry keys related to Ursnif malware. +description: Detects registry keys related to Ursnif malware. references: - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index e75646f43..1e2a436e6 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -6,7 +6,7 @@ related: - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar status: experimental -description: Detects the creation of the "accepteula" key related to the sysinternals tools being created from non-sysinternals tools +description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index 32c57a386..9a32ffecd 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -6,7 +6,7 @@ related: - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 type: obsoletes status: experimental -description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump...etc (part of the Sysinternals suite) via the creation of the "accepteula" registry key. +description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index 33ddff3a3..37fffeeae 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -1,7 +1,7 @@ title: Folder Removed From Exploit Guard ProtectedFolders List - Registry id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40 status: experimental -description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder +description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index 27dbbeba0..7bf67782e 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -1,7 +1,7 @@ title: Removal Of AMSI Provider Registry Keys id: 41d1058a-aea7-4952-9293-29eaaf516465 status: test -description: Detects the deletion of AMSI providers registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. +description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://seclists.org/fulldisclosure/2020/Mar/45 diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 82f0de6f6..535200c2d 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -1,7 +1,9 @@ title: Removal of Potential COM Hijacking Registry Keys id: 96f697b0-b499-4e5d-9908-a67bec11cdb6 status: test -description: Detects any deletion of entries in ".*\shell\open\command" registry key. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove it's tracks. +description: | + Detects any deletion of entries in ".*\shell\open\command" registry keys. + These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md From b7a3000bb281c1c2648920ae1d4ac5a1aa0d8553 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 9 Feb 2023 10:38:21 +0100 Subject: [PATCH 4/5] fix: update modified date --- ...try_add_persistence_logon_scripts_userinitmprlogonscript.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index 3ed507238..c4f117ab2 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 -modified: 2022/06/26 +modified: 2023/02/09 tags: - attack.t1037.001 - attack.persistence From 8c1a5fb83439fe3f4c8ac38bb546a40b967cb1d6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 9 Feb 2023 11:01:58 +0100 Subject: [PATCH 5/5] fix: remove sysmon definition Removed this definition for now as it's too generic and "obvious" Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../registry_delete_removal_amsi_registry_key.yml | 1 - ...egistry_delete_schtasks_hide_task_via_index_value_removal.yml | 1 - .../registry_delete_schtasks_hide_task_via_sd_value_removal.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index 7bf67782e..84770ee4c 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -14,7 +14,6 @@ tags: logsource: product: windows category: registry_delete - definition: 'Requirements: the following registry key must be added to a sysmon configuration or your monitoring solution in order for this rule to work' detection: selection: EventType: DeleteKey diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index 300116ee3..04f68324f 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -18,7 +18,6 @@ tags: logsource: product: windows category: registry_delete - definition: 'Requirements: the following registry key must be added to a sysmon configuration or your monitoring solution in order for this rule to work' detection: selection: EventType: DeleteKey diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index 87fd2951f..4cb5739aa 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -16,7 +16,6 @@ tags: logsource: product: windows category: registry_delete - definition: 'Requirements: the following registry key must be added to a sysmon configuration or your monitoring solution in order for this rule to work' detection: selection: EventType: DeleteKey