From 2e96df4a11078ee4f79560d43df1aa7e2218862e Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 2 Jul 2023 12:23:12 +0200
Subject: [PATCH] Add posh_ps_reg_query_registry

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 .../posh_ps_reg_query_registry.yml            | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml b/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml
new file mode 100644
index 000000000..1174a760a
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml
@@ -0,0 +1,38 @@
+title: Potential Configuration And Service Reconnaissance Via Powershell
+id: 064060aa-09fb-4636-817f-020a32aa7e9e
+related:
+    - id: 970007b7-ce32-49d0-a4a4-fbef016950bd
+      type: similar
+status: experimental
+description: Detects the usage of Powershell in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
+author: frack113
+date: 2023/07/02
+tags:
+    - attack.discovery
+    - attack.t1012
+    - attack.t1007
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains:
+            - 'Get-Item'
+            - 'Get-ChildItem'
+    selection_flag:
+        ScriptBlockText|contains: '-Path'
+    selection_key:
+        ScriptBlockText|contains:
+            - 'CurrentVersion\Windows'
+            - 'winlogon\'
+            - 'CurrentVersion\ShellServiceObjectDelayLoad'
+            - 'CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce"
+            - 'CurrentVersion\Policies\Explorer\Run'
+            - 'currentcontrolset\services'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium