From 5a98fdbbbd85c40075a67882f44a240d528125f2 Mon Sep 17 00:00:00 2001 From: zinint Date: Thu, 24 Oct 2019 16:33:29 +0300 Subject: [PATCH] ART t1004 --- .../powershell_winlogon_helper_dll.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_winlogon_helper_dll.yaml diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yaml b/rules/windows/powershell/powershell_winlogon_helper_dll.yaml new file mode 100644 index 000000000..83a4e058a --- /dev/null +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yaml @@ -0,0 +1,27 @@ +title: Winlogon Helper DLL +status: test +description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1004/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml +logsource: + product: windows + service: powershell + description: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + keyword1: + - '*Set-ItemProperty*' + keyword2: + - '*New-Item*' + keyword3: + - '*CurrentVersion\Winlogon*' + condition: selection and (keyword1 or keyword2) and keyword3 +falsepositives: + - Unknown +level: medium +tags: + - attack.persistence + - attack.t1004