Merge pull request #898 from rtkbkish/fix-uac-registry

Proposed fix for sysmon_uac_bypass_eventvwr
2020-07-07 22:29:39 +02:00
parent 9e85731253 7e06fd80fd
commit 2032a1e7fd
1 changed files with 22 additions and 15 deletions
@@ -1,3 +1,4 @@
+action: global
 title: UAC Bypass via Event Viewer
 id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
 status: experimental
@@ -7,21 +8,6 @@ references:
    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
 author: Florian Roth
 date: 2017/03/19
-logsource:
-    product: windows
-    category: registry_event
-detection:
-    methregistry:
-        TargetObject: 'HKU\\*\mscfile\shell\open\command'
-    methprocess:
-        EventID: 1 # Migration to process_creation requires multipart YAML
-        ParentImage: '*\eventvwr.exe'
-    filterprocess:
-        Image: '*\mmc.exe'
-    condition: methregistry or ( methprocess and not filterprocess )
-fields:
-    - CommandLine
-    - ParentCommandLine
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
@@ -30,3 +16,24 @@ tags:
 falsepositives:
    - unknown
 level: critical
+---
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    methregistry:
+        TargetObject: 'HKU\\*\mscfile\shell\open\command'
+    condition: methregistry
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    methprocess:
+        ParentImage: '*\eventvwr.exe'
+    filterprocess:
+        Image: '*\mmc.exe'
+    condition: methprocess and not filterprocess
+fields:
+    - CommandLine
+    - ParentCommandLine