security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move to process_creation category

Browse Source
This commit is contained in:
Ryan Plas
2020-10-07 10:47:40 -04:00
parent dc856f24e0
commit 2d30379ab2
1 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/sysmon/sysmon_non_priv_reg_or_ps.yml → rules/windows/process_creation/win_non_priv_reg_or_ps.yml
+4 -5
View File
@@ -1,4 +1,4 @@
title: Usage of reg or Powershell by Non-privileged Users
title: Non-privileged Usage of reg or Powershell
id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry
status: experimental
@@ -10,11 +10,10 @@ tags:
- attack.defense_evasion
- attack.t1112
logsource:
category: process_creation
product: windows
service: security
detection:
process_creation:
EventID: 1
integrity_level:
IntegrityLevel: Medium
reg:
CommandLine|contains|all:
@@ -36,7 +35,7 @@ detection:
- ImagePath
- FailureCommand
- ServiceDLL
condition: process_creation and (reg or powershell) and registry_folder and registry_key
condition: integrity_level and (reg or powershell) and registry_folder and registry_key
fields:
- EventID
- IntegrityLevel