security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add reg.exe

Browse Source 
Reg.exe for Qakbot defense evasion.
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB17_28.02.2023.txt
xcopy  C:\Windows\\\\\\system32\\\\\\reg.exe C:\Users\Admin\AppData\Local\Temp\glanduleHoratory.exe /h /s /e
This commit is contained in:
markus-nclose
2023-03-01 13:27:59 +02:00
committed by GitHub
parent b584dd198e
commit 5d7fe8823b
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
+2
View File
@@ -52,6 +52,7 @@ detection:
- 'rundll32.exe'
- 'cmstp.exe'
- 'msiexec.exe'
- 'reg.exe'
filter:
Image|endswith:
- '\powershell.exe'
@@ -69,6 +70,7 @@ detection:
- '\rundll32.exe'
- '\cmstp.exe'
- '\msiexec.exe'
- '\reg.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist