security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2253 from redsand/filter_empty_details_in_registry_changes

Browse Source 
Filter empty details in registry changes
This commit is contained in:
frack113
2021-11-12 07:00:58 +01:00
committed by GitHub
parent c12a9b01e4 089a772a5a
commit 555eb9244d
2 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
+5 -3
View File
@@ -11,8 +11,8 @@ tags:
- attack.t1547.001
- attack.t1060 # an old one
date: 2019/10/25
modified: 2020/11/04
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community
modified: 2021/11/11
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton
logsource:
category: registry_event
product: windows
@@ -190,6 +190,8 @@ detection:
- '\Lsa\Notification Packages'
- '\Lsa\Authentication Packages'
- '\BootVerificationProgram\ImagePath'
filter:
Details: '(Empty)'
condition: main_selection or
session_manager_base and session_manager or
current_version_base and current_version or
@@ -202,7 +204,7 @@ detection:
classes_base and classes or
scripts_base and scripts or
winsock_parameters_base and winsock_parameters or
system_control_base and system_control
system_control_base and system_control and not filter
fields:
- SecurityID
- ObjectName
rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
+5 -3
View File
@@ -9,9 +9,9 @@ tags:
- attack.persistence
- attack.t1103 # an old one
- attack.t1546.010
author: Ilyas Ochkov, oscd.community
author: Ilyas Ochkov, oscd.community, Tim Shelton
date: 2019/10/25
modified: 2020/09/06
modified: 2021/11/11
logsource:
category: registry_event
product: windows
@@ -24,7 +24,9 @@ detection:
NewName|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
condition: selection
filter:
Details: '(Empty)'
condition: selection and not filter
fields:
- EventID
- Image