From 9fddfd4afbbe34fd012b8b4c1fb964496e1db961 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 11 Nov 2021 17:34:20 +0000 Subject: [PATCH 1/2] filter out where Details is (Empty) --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 4 +++- .../sysmon_new_dll_added_to_appinit_dlls_registry_key.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index cac8f9e7d..c1a5177c5 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -190,6 +190,8 @@ detection: - '\Lsa\Notification Packages' - '\Lsa\Authentication Packages' - '\BootVerificationProgram\ImagePath' + filter: + Details: '(Empty)' condition: main_selection or session_manager_base and session_manager or current_version_base and current_version or @@ -202,7 +204,7 @@ detection: classes_base and classes or scripts_base and scripts or winsock_parameters_base and winsock_parameters or - system_control_base and system_control + system_control_base and system_control and not filter fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 820a65f60..dd3467c76 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -24,7 +24,9 @@ detection: NewName|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - condition: selection + filter: + Details: '(Empty)' + condition: selection and not filter fields: - EventID - Image From 07f9e3912cd3a9e91cc0f7dd8968b89c1df2cd07 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 11 Nov 2021 20:34:00 +0000 Subject: [PATCH 2/2] updating modified date and author fields --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 4 ++-- .../sysmon_new_dll_added_to_appinit_dlls_registry_key.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index c1a5177c5..52a4072ff 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -11,8 +11,8 @@ tags: - attack.t1547.001 - attack.t1060 # an old one date: 2019/10/25 -modified: 2020/11/04 -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community +modified: 2021/11/11 +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index dd3467c76..e54f396b2 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -9,9 +9,9 @@ tags: - attack.persistence - attack.t1103 # an old one - attack.t1546.010 -author: Ilyas Ochkov, oscd.community +author: Ilyas Ochkov, oscd.community, Tim Shelton date: 2019/10/25 -modified: 2020/09/06 +modified: 2021/11/11 logsource: category: registry_event product: windows