feat: update registry_add rules
This commit is contained in:
Nasreddine Bencherchali
+2
-2
@@ -1,13 +1,13 @@
|
||||
title: Sysinternals SDelete Registry Keys
|
||||
id: 9841b233-8df8-4ad7-9133-b0b4402a9014
|
||||
status: experimental
|
||||
status: deprecated
|
||||
description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
|
||||
references:
|
||||
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
|
||||
- https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
date: 2020/05/02
|
||||
modified: 2022/06/26
|
||||
modified: 2023/02/07
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1070.004
|
||||
+5
-5
@@ -1,7 +1,7 @@
|
||||
title: NetWire RAT Registry Key
|
||||
title: Potential NetWire RAT Activity - Registry
|
||||
id: 1d218616-71b0-4c40-855b-9dbe75510f7f
|
||||
status: experimental
|
||||
description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
|
||||
description: Detect registry keys related to NetWire RAT
|
||||
references:
|
||||
- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
|
||||
- https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
|
||||
@@ -10,19 +10,19 @@ references:
|
||||
- https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
|
||||
author: Christopher Peacock
|
||||
date: 2021/10/07
|
||||
modified: 2022/06/26
|
||||
modified: 2023/02/07
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
|
||||
- attack.t1112
|
||||
logsource:
|
||||
product: windows
|
||||
category: registry_add
|
||||
detection:
|
||||
selection:
|
||||
EventType: CreateKey
|
||||
# The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
|
||||
TargetObject|contains: '\software\NetWire'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" Therefore I set <TargetObject condition="contains">netwire</TargetObjecct> in my configuration.
|
||||
+3
-3
@@ -1,13 +1,13 @@
|
||||
title: Ursnif
|
||||
title: Potential Ursnif Malware Activity - Registry
|
||||
id: 21f17060-b282-4249-ade0-589ea3591558
|
||||
status: test
|
||||
description: Detects new registry key created by Ursnif malware.
|
||||
description: Detect registry keys related to Ursnif malware.
|
||||
references:
|
||||
- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
|
||||
- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
|
||||
author: megan201296
|
||||
date: 2019/02/13
|
||||
modified: 2022/10/09
|
||||
modified: 2023/02/07
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1112
|
||||
+3
-3
@@ -1,4 +1,4 @@
|
||||
title: Persistence Via New AMSI Providers
|
||||
title: Potential Persistence Via New AMSI Providers - Registry
|
||||
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
|
||||
status: experimental
|
||||
description: Detects when an attacker registers a new AMSI provider in order to achieve persistence
|
||||
@@ -7,7 +7,7 @@ references:
|
||||
- https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
|
||||
author: Nasreddine Bencherchali (Nextron Systems)
|
||||
date: 2022/07/21
|
||||
modified: 2022/12/19
|
||||
modified: 2023/02/07
|
||||
tags:
|
||||
- attack.persistence
|
||||
logsource:
|
||||
@@ -26,5 +26,5 @@ detection:
|
||||
- 'C:\Program Files (x86)\'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Legitimate security products adding their own AMSI providers
|
||||
- Legitimate security products adding their own AMSI providers. Filter these according to your environnement
|
||||
level: high
|
||||
Executable → Regular
+3
-3
@@ -1,4 +1,4 @@
|
||||
title: Windows Registry Persistence COM Key Linking
|
||||
title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
|
||||
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
|
||||
status: experimental
|
||||
description: Detects COM object hijacking via TreatAs subkey
|
||||
@@ -6,7 +6,7 @@ references:
|
||||
- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
||||
author: Kutepov Anton, oscd.community
|
||||
date: 2019/10/23
|
||||
modified: 2022/09/29
|
||||
modified: 2023/02/07
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1546.015
|
||||
@@ -15,7 +15,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
EventType: 'CreateKey' # don't want DeleteKey events
|
||||
EventType: 'CreateKey' # Don't want DeleteKey events
|
||||
TargetObject|contains|all:
|
||||
- 'HKU\'
|
||||
- 'Classes\CLSID\'
|
||||
+2
-1
@@ -1,4 +1,4 @@
|
||||
title: Persistence Via Disk Cleanup Handler - NewEntry
|
||||
title: Potential Persistence Via Disk Cleanup Handler - Registry
|
||||
id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
|
||||
status: experimental
|
||||
description: |
|
||||
@@ -13,6 +13,7 @@ references:
|
||||
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
|
||||
author: Nasreddine Bencherchali (Nextron Systems)
|
||||
date: 2022/07/21
|
||||
modified: 2023/02/07
|
||||
tags:
|
||||
- attack.persistence
|
||||
logsource:
|
||||
+1
-1
@@ -1,4 +1,4 @@
|
||||
title: Logon Scripts Creation in UserInitMprLogonScript Registry
|
||||
title: Potential Persistence Via Logon Scripts - Registry
|
||||
id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
|
||||
status: test
|
||||
description: Detects creation of UserInitMprLogonScript persistence method
|
||||
Executable → Regular
+3
-3
@@ -1,12 +1,12 @@
|
||||
title: Usage of Sysinternals Tools - Registry
|
||||
title: PUA - Sysinternal Tool Execution - Registry
|
||||
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
|
||||
status: experimental
|
||||
description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
|
||||
description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
|
||||
references:
|
||||
- https://twitter.com/Moti_B/status/1008587936735035392
|
||||
author: Markus Neis
|
||||
date: 2017/08/28
|
||||
modified: 2022/11/29
|
||||
modified: 2023/02/07
|
||||
tags:
|
||||
- attack.resource_development
|
||||
- attack.t1588.002
|
||||
+5
-3
@@ -1,4 +1,4 @@
|
||||
title: Usage of Renamed Sysinternals Tools
|
||||
title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
|
||||
id: f50f3c09-557d-492d-81db-9064a8d4e211
|
||||
related:
|
||||
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
|
||||
@@ -6,12 +6,12 @@ related:
|
||||
- id: 8023f872-3f1d-4301-a384-801889917ab4
|
||||
type: similar
|
||||
status: experimental
|
||||
description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools
|
||||
description: Detects the creation of the "accepteula" key related to the sysinternals tools being created from non-sysinternals tools
|
||||
references:
|
||||
- Internal Research
|
||||
author: Nasreddine Bencherchali (Nextron Systems)
|
||||
date: 2022/08/24
|
||||
modified: 2022/12/07
|
||||
modified: 2023/02/07
|
||||
tags:
|
||||
- attack.resource_development
|
||||
- attack.t1588.002
|
||||
@@ -34,6 +34,7 @@ detection:
|
||||
- '\PsPasswd'
|
||||
- '\PsPing'
|
||||
- '\PsService'
|
||||
- '\SDelete'
|
||||
TargetObject|endswith: '\EulaAccepted'
|
||||
filter:
|
||||
Image|endswith:
|
||||
@@ -60,6 +61,7 @@ detection:
|
||||
- '\PsPing64.exe'
|
||||
- '\PsService.exe'
|
||||
- '\PsService64.exe'
|
||||
- '\sdelete.exe'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
+10
-6
@@ -1,14 +1,17 @@
|
||||
title: Usage of Suspicious Sysinternals Tools
|
||||
title: PUA - Sysinternals Tools Execution - Registry
|
||||
id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
|
||||
related:
|
||||
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
|
||||
type: derived
|
||||
- id: 9841b233-8df8-4ad7-9133-b0b4402a9014
|
||||
type: obsoletes
|
||||
status: experimental
|
||||
description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry
|
||||
description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump...etc (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
|
||||
references:
|
||||
- https://twitter.com/Moti_B/status/1008587936735035392
|
||||
author: Nasreddine Bencherchali (Nextron Systems)
|
||||
date: 2022/08/24
|
||||
modified: 2023/02/07
|
||||
tags:
|
||||
- attack.resource_development
|
||||
- attack.t1588.002
|
||||
@@ -19,17 +22,18 @@ detection:
|
||||
selection:
|
||||
EventType: CreateKey
|
||||
TargetObject|contains:
|
||||
- '\PsExec'
|
||||
- '\ProcDump'
|
||||
- '\Active Directory Explorer'
|
||||
- '\Handle'
|
||||
- '\LiveKd'
|
||||
- '\Process Explorer'
|
||||
- '\ProcDump'
|
||||
- '\PsExec'
|
||||
- '\PsLoglist'
|
||||
- '\PsPasswd'
|
||||
- '\Active Directory Explorer'
|
||||
- '\SDelete'
|
||||
- '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
|
||||
TargetObject|endswith: '\EulaAccepted'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate use of SysInternals tools
|
||||
- Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement
|
||||
level: medium
|
||||
Reference in New Issue
Block a user