diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml b/rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml similarity index 95% rename from rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml rename to rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml index 8e31f3caf..2b84cdaf5 100644 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml +++ b/rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml @@ -1,13 +1,13 @@ title: Sysinternals SDelete Registry Keys id: 9841b233-8df8-4ad7-9133-b0b4402a9014 -status: experimental +status: deprecated description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2022/06/26 +modified: 2023/02/07 tags: - attack.defense_evasion - attack.t1070.004 diff --git a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml similarity index 58% rename from rules/windows/registry/registry_add/registry_add_mal_netwire.yml rename to rules/windows/registry/registry_add/registry_add_malware_netwire.yml index 62e50e652..4fdae99dd 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -1,7 +1,7 @@ -title: NetWire RAT Registry Key +title: Potential NetWire RAT Activity - Registry id: 1d218616-71b0-4c40-855b-9dbe75510f7f status: experimental -description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire +description: Detect registry keys related to NetWire RAT references: - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing - https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/ @@ -10,19 +10,19 @@ references: - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ author: Christopher Peacock date: 2021/10/07 -modified: 2022/06/26 +modified: 2023/02/07 tags: - attack.defense_evasion - - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary + - attack.t1112 logsource: product: windows category: registry_add detection: selection: EventType: CreateKey + # The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary TargetObject|contains: '\software\NetWire' condition: selection falsepositives: - Unknown level: high -Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" Therefore I set netwire in my configuration. diff --git a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml b/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml similarity index 87% rename from rules/windows/registry/registry_add/registry_add_mal_ursnif.yml rename to rules/windows/registry/registry_add/registry_add_malware_ursnif.yml index 5321cd422..2e29c59d0 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml @@ -1,13 +1,13 @@ -title: Ursnif +title: Potential Ursnif Malware Activity - Registry id: 21f17060-b282-4249-ade0-589ea3591558 status: test -description: Detects new registry key created by Ursnif malware. +description: Detect registry keys related to Ursnif malware. references: - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ author: megan201296 date: 2019/02/13 -modified: 2022/10/09 +modified: 2023/02/07 tags: - attack.execution - attack.t1112 diff --git a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml similarity index 88% rename from rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml rename to rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml index 229e23af8..2e45fbd80 100644 --- a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -1,4 +1,4 @@ -title: Persistence Via New AMSI Providers +title: Potential Persistence Via New AMSI Providers - Registry id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 status: experimental description: Detects when an attacker registers a new AMSI provider in order to achieve persistence @@ -7,7 +7,7 @@ references: - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 -modified: 2022/12/19 +modified: 2023/02/07 tags: - attack.persistence logsource: @@ -26,5 +26,5 @@ detection: - 'C:\Program Files (x86)\' condition: selection and not filter falsepositives: - - Legitimate security products adding their own AMSI providers + - Legitimate security products adding their own AMSI providers. Filter these according to your environnement level: high diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml old mode 100755 new mode 100644 similarity index 86% rename from rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml rename to rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml index 18fe8717e..5d3f45221 --- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -1,4 +1,4 @@ -title: Windows Registry Persistence COM Key Linking +title: Potential COM Object Hijacking Via TreatAs Subkey - Registry id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 status: experimental description: Detects COM object hijacking via TreatAs subkey @@ -6,7 +6,7 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 -modified: 2022/09/29 +modified: 2023/02/07 tags: - attack.persistence - attack.t1546.015 @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - EventType: 'CreateKey' # don't want DeleteKey events + EventType: 'CreateKey' # Don't want DeleteKey events TargetObject|contains|all: - 'HKU\' - 'Classes\CLSID\' diff --git a/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml similarity index 96% rename from rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml rename to rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 8d74e0da0..09192a552 100644 --- a/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -1,4 +1,4 @@ -title: Persistence Via Disk Cleanup Handler - NewEntry +title: Potential Persistence Via Disk Cleanup Handler - Registry id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a status: experimental description: | @@ -13,6 +13,7 @@ references: - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 +modified: 2023/02/07 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml similarity index 91% rename from rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml rename to rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index 1c6f91361..3ed507238 100644 --- a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -1,4 +1,4 @@ -title: Logon Scripts Creation in UserInitMprLogonScript Registry +title: Potential Persistence Via Logon Scripts - Registry id: 9ace0707-b560-49b8-b6ca-5148b42f39fb status: test description: Detects creation of UserInitMprLogonScript persistence method diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml old mode 100755 new mode 100644 similarity index 74% rename from rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml rename to rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index df087b4c1..4706b5d67 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -1,12 +1,12 @@ -title: Usage of Sysinternals Tools - Registry +title: PUA - Sysinternal Tool Execution - Registry id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: experimental -description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry +description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis date: 2017/08/28 -modified: 2022/11/29 +modified: 2023/02/07 tags: - attack.resource_development - attack.t1588.002 diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml similarity index 86% rename from rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml rename to rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index 7ad63984a..e75646f43 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -1,4 +1,4 @@ -title: Usage of Renamed Sysinternals Tools +title: Suspicious Execution Of Renamed Sysinternals Tools - Registry id: f50f3c09-557d-492d-81db-9064a8d4e211 related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 @@ -6,12 +6,12 @@ related: - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar status: experimental -description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools +description: Detects the creation of the "accepteula" key related to the sysinternals tools being created from non-sysinternals tools references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 -modified: 2022/12/07 +modified: 2023/02/07 tags: - attack.resource_development - attack.t1588.002 @@ -34,6 +34,7 @@ detection: - '\PsPasswd' - '\PsPing' - '\PsService' + - '\SDelete' TargetObject|endswith: '\EulaAccepted' filter: Image|endswith: @@ -60,6 +61,7 @@ detection: - '\PsPing64.exe' - '\PsService.exe' - '\PsService64.exe' + - '\sdelete.exe' condition: selection and not filter falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml similarity index 67% rename from rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml rename to rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index 2ba030176..32c57a386 100644 --- a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -1,14 +1,17 @@ -title: Usage of Suspicious Sysinternals Tools +title: PUA - Sysinternals Tools Execution - Registry id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 type: derived + - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 + type: obsoletes status: experimental -description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry +description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump...etc (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 +modified: 2023/02/07 tags: - attack.resource_development - attack.t1588.002 @@ -19,17 +22,18 @@ detection: selection: EventType: CreateKey TargetObject|contains: - - '\PsExec' - - '\ProcDump' + - '\Active Directory Explorer' - '\Handle' - '\LiveKd' - '\Process Explorer' + - '\ProcDump' + - '\PsExec' - '\PsLoglist' - '\PsPasswd' - - '\Active Directory Explorer' + - '\SDelete' - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400 TargetObject|endswith: '\EulaAccepted' condition: selection falsepositives: - - Legitimate use of SysInternals tools + - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement level: medium