diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml index b1fba2e7a..1a605715c 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml @@ -1,6 +1,6 @@ title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 id: 6c7defa9-69f8-4c34-b815-41fce3931754 -status: experimental +status: test description: | Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21. references: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml index 18f824199..1cbb77fb3 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml @@ -1,6 +1,6 @@ title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5 -status: experimental +status: test description: | Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094. references: diff --git a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml index 847f3951d..1d62d0039 100644 --- a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml +++ b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml @@ -1,6 +1,6 @@ title: Potential CSharp Streamer RAT Loading .NET Executable Image id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82 -status: experimental +status: test description: | Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool. references: diff --git a/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml b/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml index 20107af84..bf5f653c4 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml @@ -1,6 +1,6 @@ title: Potential Kapeka Decrypted Backdoor Indicator id: 20228d05-dd68-435d-8b4e-e7e64938880c -status: experimental +status: test description: | Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection. diff --git a/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml b/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml index 4de9bda9e..b33d2ab92 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml @@ -1,6 +1,6 @@ title: Kapeka Backdoor Loaded Via Rundll32.EXE id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c -status: experimental +status: test description: | Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In. diff --git a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml index 972f94c0e..cea5c8a79 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml @@ -1,6 +1,6 @@ title: Kapeka Backdoor Persistence Activity id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819 -status: experimental +status: test description: | Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). diff --git a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml index c777955a8..ef65d9c71 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml @@ -1,6 +1,6 @@ title: Kapeka Backdoor Execution Via RunDLL32.EXE id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12 -status: experimental +status: test description: | Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument. references: diff --git a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml index a1b8a6232..f6e582122 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml @@ -3,7 +3,7 @@ id: c0c67b21-eb8a-4c84-a395-40473ec3b482 related: - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819 type: similar -status: experimental +status: test description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence. references: - https://labs.withsecure.com/publications/kapeka diff --git a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml index 796d5b702..08f0a67b7 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml @@ -1,6 +1,6 @@ title: Kapeka Backdoor Configuration Persistence id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd -status: experimental +status: test description: | Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence. diff --git a/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml b/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml index 040bbca94..853f4f471 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml @@ -3,7 +3,7 @@ id: 6c130acd-0adb-4545-bcc4-2e85d0883c9a related: - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819 type: similar -status: experimental +status: test description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 diff --git a/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml b/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml index f01c64bc3..cad108b86 100644 --- a/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml +++ b/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml @@ -1,6 +1,6 @@ title: Windows LAPS Credential Dump From Entra ID id: a4b25073-8947-489c-a8dd-93b41c23f26d -status: experimental +status: test description: Detects when an account dumps the LAPS password from Entra ID. references: - https://twitter.com/NathanMcNulty/status/1785051227568632263 diff --git a/rules/cloud/okta/okta_new_behaviours_admin_console.yml b/rules/cloud/okta/okta_new_behaviours_admin_console.yml index f84a4e175..ae403e461 100644 --- a/rules/cloud/okta/okta_new_behaviours_admin_console.yml +++ b/rules/cloud/okta/okta_new_behaviours_admin_console.yml @@ -1,6 +1,6 @@ title: Okta New Admin Console Behaviours id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9 -status: experimental +status: test description: Detects when Okta identifies new activity in the Admin Console. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml b/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml index 3332ea6e2..ed08e43d9 100644 --- a/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml +++ b/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml @@ -1,6 +1,6 @@ title: Communication To LocaltoNet Tunneling Service Initiated - Linux id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1 -status: experimental +status: test description: | Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml index 43e71d817..cf9449973 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml @@ -3,7 +3,7 @@ id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 related: - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d type: similar -status: experimental +status: test description: Detects failed logon attempts from clients to MSSQL server. references: - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml index 1e1ed8cb2..64ce09625 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -3,7 +3,7 @@ id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d related: - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 type: similar -status: experimental +status: test description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack. references: - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ diff --git a/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml b/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml index 314494a80..5e2c4eb70 100644 --- a/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml +++ b/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml @@ -3,7 +3,7 @@ id: e043f529-8514-4205-8ab0-7f7d2927b400 related: - id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83 type: derived -status: experimental +status: test description: | Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site. references: diff --git a/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml index fba06acf0..dcdac1687 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml @@ -3,7 +3,7 @@ id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a related: - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489 type: obsolete -status: experimental +status: test description: Detects file creation events with filename patterns used by CrackMapExec. references: - https://github.com/byt3bl33d3r/CrackMapExec/ diff --git a/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml index 0fe15d328..97c9cedab 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml @@ -1,6 +1,6 @@ title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators id: 3ab79e90-9fab-4cdf-a7b2-6522bc742adb -status: experimental +status: test description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module. references: - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 diff --git a/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml index 25056016f..4158be2f1 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml @@ -1,6 +1,6 @@ title: DPAPI Backup Keys And Certificate Export Activity IOC id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4 -status: experimental +status: test description: | Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates. references: diff --git a/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml b/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml index cc682c73f..e3b8f1326 100644 --- a/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml @@ -1,6 +1,6 @@ title: Communication To LocaltoNet Tunneling Service Initiated id: 3ab65069-d82a-4d44-a759-466661a082d1 -status: experimental +status: test description: | Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. diff --git a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml index 17b78e674..c28857ab5 100644 --- a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml @@ -1,6 +1,6 @@ title: Office Application Initiated Network Connection Over Uncommon Ports id: 3b5ba899-9842-4bc2-acc2-12308498bf42 -status: experimental +status: test description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml index 3e53dbe85..fac351f2c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml @@ -3,7 +3,7 @@ id: 846c7a87-8e14-4569-9d49-ecfd4276a01c related: - id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e type: similar -status: experimental +status: test description: | Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 0bef6f4db..f5b46ee6e 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -3,7 +3,7 @@ id: ccb5742c-c248-4982-8c5c-5571b9275ad3 related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived -status: experimental +status: test description: | Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase. diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml index 849d82957..6d9cdc68f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml @@ -1,6 +1,6 @@ title: HackTool - RemoteKrbRelay Execution id: a7664b14-75fb-4a50-a223-cb9bc0afbacf -status: experimental +status: test description: | Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. references: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml index 5694f2447..599561022 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml @@ -1,6 +1,6 @@ title: HackTool - SharpDPAPI Execution id: c7d33b50-f690-4b51-8cfb-0fb912a31e57 -status: experimental +status: test description: | Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. diff --git a/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml index 277cda516..b6b963fb6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml @@ -3,7 +3,7 @@ id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e related: - id: 846c7a87-8e14-4569-9d49-ecfd4276a01c type: similar -status: experimental +status: test description: | Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 84efde879..48f581187 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -1,6 +1,6 @@ title: Hypervisor Enforced Code Integrity Disabled id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a -status: experimental +status: test description: | Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel references: diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml index 7aa766d20..67044b387 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml @@ -1,6 +1,6 @@ title: Hypervisor Enforced Paging Translation Disabled id: 7f2954d2-99c2-4d42-a065-ca36740f187b -status: experimental +status: test description: | Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. references: diff --git a/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml b/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml index 421864416..9fbc1c3fe 100644 --- a/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml +++ b/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml @@ -1,6 +1,6 @@ title: Periodic Backup For System Registry Hives Enabled id: 973ef012-8f1a-4c40-93b4-7e659a5cd17f -status: experimental +status: test description: | Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".