Merge pull request #4381 from frack113/refractor_registry_set

Refractor registry_set rules
2023-08-17 12:33:20 +02:00
parent bfb073cfcf 8aabf25831
commit 653d9b87f2
167 changed files with 167 additions and 301 deletions
@@ -9,7 +9,7 @@ references:
    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
 author: Sreeman
 date: 2020/09/29
-modified: 2022/12/19
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -20,7 +20,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
        Details|endswith:
            - '.sh'
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
 author: frack113
 date: 2022/08/20
-modified: 2023/01/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1564.002
@@ -15,7 +15,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\'
        TargetObject|endswith: '$'
        Details: DWORD (0x00000000)
@@ -8,7 +8,7 @@ references:
    - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
 author: frack113
 date: 2021/06/08
-modified: 2023/06/21
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -23,7 +23,6 @@ logsource:
    # <TargetObject name="T1562,office" condition="end with">\DisableAttachementsInPV</TargetObject>
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Office\'
        TargetObject|endswith:
            - VBAWarnings
@@ -8,7 +8,7 @@ references:
    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
 author: Trent Liffick (@tliffick)
 date: 2020/05/22
-modified: 2023/06/21
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -17,7 +17,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|endswith:
            - '\Security\Trusted Documents\TrustRecords'
            - '\Security\AccessVBOM'
@@ -7,7 +7,7 @@ references:
    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
 author: Florian Roth (Nextron Systems)
 date: 2021/02/26
-modified: 2022/12/19
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1546.012
@@ -16,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
        Details|contains: 'MonitorProcess'
    condition: selection
@@ -7,7 +7,7 @@ references:
    - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
 author: Sittikorn S, frack113
 date: 2021/07/16
-modified: 2022/08/23
+modified: 2023/08/17
 tags:
    - attack.credential_access
    - attack.t1566
@@ -21,7 +21,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith:
            - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
            - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
@@ -6,6 +6,7 @@ references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/19
+modified: 2023/08/17
 tags:
    - attack.persistence
    - detection.emerging_threats
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection_path:
-        EventType: SetValue
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Run\'
    selection_value:
        - TargetObject|contains: 'Microsift'
@@ -6,6 +6,7 @@ references:
    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/04/05
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1137
@@ -22,7 +23,6 @@ detection:
        TargetObject|contains:
            - '\Tasks\'
            - '\Notes\'
-        EventType: SetValue
    condition: selection
 falsepositives:
    - Legitimate reminders received for a task or a note will also trigger this rule.
@@ -6,6 +6,7 @@ references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/02
+modified: 2023/08/17
 tags:
    - attack.persistence
    - detection.emerging_threats
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-'
            - '\ProfileImagePath'
@@ -6,6 +6,7 @@ references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/10
+modified: 2023/08/17
 tags:
    - attack.persistence
    - detection.emerging_threats
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'
    filter_main_wav:
        - TargetObject|endswith: '.AssocFile.WAV'
@@ -9,6 +9,7 @@ references:
    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/21
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -18,7 +19,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|contains: 'Security\Trusted Locations\Location'
        TargetObject|endswith: '\Path'
    condition: selection
@@ -7,7 +7,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
 author: frack113
 date: 2022/04/04
-modified: 2022/06/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1564.001
@@ -16,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|startswith:
            - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\'
            - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\'
@@ -8,7 +8,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
 author: frack113
 date: 2021/12/30
-modified: 2022/09/18
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.010
@@ -19,7 +19,6 @@ detection:
    selection:
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Monitors\'
        Details|endswith: '.dll'
-        EventType: SetValue
    filter_cutepdf:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|contains: '\System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver'
@@ -7,6 +7,7 @@ references:
    - https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/21
+modified: 2023/08/17
 tags:
    - attack.persistence
 logsource:
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger'
        Details|endswith: '.dll'
    filter:
@@ -6,6 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 author: frack113
 date: 2022/08/19
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: 'System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp'
        Details: DWORD (0x00000001)
    condition: selection
@@ -7,6 +7,7 @@ references:
    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/04
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -15,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
    filter:
        Details: '%windir%\system32\amsi.dll'
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2023/01/18
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    selection_classes_base:
-        EventType: SetValue
        TargetObject|contains: '\Software\Classes'
    selection_classes_target:
        TargetObject|contains:
@@ -12,7 +12,7 @@ references:
    - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
 date: 2019/10/25
-modified: 2023/03/24
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -21,7 +21,6 @@ logsource:
    product: windows
 detection:
    main_selection:
-        EventType: SetValue
        TargetObject|contains:
            - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
            - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/09/20
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    system_control_base:
-        EventType: SetValue
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
    system_control_keys:
        TargetObject|contains:
@@ -12,7 +12,7 @@ references:
    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/10/20
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -21,7 +21,6 @@ logsource:
    product: windows
 detection:
    current_version_base:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
    current_version_keys:
        TargetObject|contains:
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/07/05
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    nt_current_version_base:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    nt_current_version:
        TargetObject|contains:
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    ie:
-        EventType: SetValue
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Internet Explorer'
            - '\Software\Microsoft\Internet Explorer'
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2023/02/17
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    office:
-        EventType: SetValue
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Office'
            - '\Software\Microsoft\Office'
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -21,7 +21,6 @@ logsource:
    product: windows
 detection:
    session_manager_base:
-        EventType: SetValue
        TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
    session_manager:
        TargetObject|contains:
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    scripts_base:
-        EventType: SetValue
        TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
    scripts:
        TargetObject|contains:
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    winsock_parameters_base:
-        EventType: SetValue
        TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
    winsock_parameters:
        TargetObject|contains:
@@ -12,7 +12,7 @@ references:
    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2023/01/19
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -21,7 +21,6 @@ logsource:
    product: windows
 detection:
    selection_wow_current_version_base:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'
    selection_wow_current_version_keys:
        TargetObject|contains:
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    wow_classes_base:
-        EventType: SetValue
        TargetObject|contains: '\Software\Wow6432Node\Classes'
    wow_classes:
        TargetObject|contains:
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/11/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    wow_nt_current_version_base:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'
    wow_nt_current_version:
        TargetObject|contains:
@@ -7,7 +7,7 @@ references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
 author: frack113
 date: 2022/01/24
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -16,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject:
            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections
@@ -8,7 +8,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
 author: frack113
 date: 2022/01/05
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.privilege_escalation
    - attack.defense_evasion
@@ -18,7 +18,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\open\command\DelegateExecute'
        Details: (Empty)
    condition: selection
@@ -7,7 +7,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
 author: frack113
 date: 2022/01/05
-modified: 2022/10/05
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.010
@@ -16,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
    filter:
        Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
@@ -7,7 +7,7 @@ references:
    - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
 author: frack113
 date: 2022/01/06
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.privilege_escalation
    - attack.defense_evasion
@@ -19,7 +19,6 @@ detection:
    selection:
        TargetObject|endswith: '\Environment\windir'
        Details|contains: '&REM'
-        EventType: SetValue
    condition: selection
 falsepositives:
    - Unknown
@@ -9,7 +9,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller
 author: frack113
 date: 2022/01/01
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1547.010
@@ -18,7 +18,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject: HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
    filter:
        Details: DWORD (0x00000d3d)
@@ -10,7 +10,7 @@ references:
    - https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
 author: frack113
 date: 2022/01/22
-modified: 2022/04/04
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1137
@@ -19,7 +19,6 @@ logsource:
    product: windows
 detection:
    selection_domains:
-        EventType: SetValue
        TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
    filter:
        Details:
@@ -7,6 +7,7 @@ references:
    - https://youtu.be/zSihR3lTf7g
 author: B.Talebi
 date: 2022/07/28
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -15,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\SYSTEM\CurrentControlSet\'
        TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
    condition: selection
@@ -8,7 +8,7 @@ references:
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
 author: frack113
 date: 2022/09/17
-modified: 2022/09/29
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.002
@@ -17,7 +17,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
        TargetObject|endswith: '\ChannelAccess'
        # Add more interesting combinations if you found them
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
 author: frack113
 date: 2021/12/28
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1133
@@ -17,7 +17,6 @@ detection:
    chrome_ext:
        TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
        TargetObject|endswith: 'update_url'
-        EventType: SetValue
    chrome_vpn:
        TargetObject|contains:
            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
@@ -7,6 +7,7 @@ references:
    - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
 author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'
 date: 2023/06/12
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -15,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\'
        TargetObject|endswith:
            - '\Internet'
@@ -9,7 +9,7 @@ references:
    - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
 author: Wojciech Lesicki
 date: 2021/06/29
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.execution
    - attack.privilege_escalation
@@ -22,7 +22,6 @@ logsource:
    product: windows
 detection:
    main:
-        EventType: SetValue
        TargetObject|contains: 'HKLM\System\CurrentControlSet\Services'
    selection_1:
        Details|contains|all:
@@ -7,7 +7,7 @@ references:
    - https://www.exploit-db.com/exploits/47696
 author: Omkar Gudhate
 date: 2020/09/27
-modified: 2022/06/26
+modified: 2023/08/17
 tags:
    - attack.privilege_escalation
    - attack.t1546
@@ -17,7 +17,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject: 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
    condition: selection
 falsepositives:
@@ -6,7 +6,7 @@ references:
    - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
 author: Tobias Michalski (Nextron Systems)
 date: 2022/02/24
-modified: 2022/08/23
+modified: 2023/08/17
 tags:
    - attack.t1564
    - attack.t1112
@@ -15,7 +15,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
        Details: 'DWORD (0x00000000)'
    condition: selection
@@ -9,7 +9,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: Florian Roth (Nextron Systems), frack113
 date: 2022/05/02
-modified: 2022/12/02
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -18,7 +18,6 @@ logsource:
    product: windows
 detection:
    selection_1:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\Start'
        Image|contains:
@@ -32,7 +31,6 @@ detection:
            - 'DWORD (0x00000002)'  # Automatic
            # 3 - Manual , 4 - Disabled
    selection_2:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: Florian Roth (Nextron Systems)
 date: 2022/05/02
-modified: 2022/05/04
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection_1:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\Start'
        Image|contains:
@@ -27,7 +26,6 @@ detection:
            - 'DWORD (0x00000002)'  # Automatic
            # 3 - Manual , 4 - Disabled
    selection_2:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
@@ -6,6 +6,7 @@ references:
    - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
 author: CD_R0M_
 date: 2022/06/11
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1202
@@ -18,7 +19,6 @@ detection:
        Details|contains|all:
            - 'powershell'
            - '-command'
-        EventType: SetValue
    condition: selection
 falsepositives:
    - Unknown
@@ -6,7 +6,7 @@ references:
    - https://windows-internals.com/printdemon-cve-2020-1048/
 author: EagleEye Team, Florian Roth (Nextron Systems), NVISO
 date: 2020/05/13
-modified: 2022/01/13
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.execution
@@ -17,7 +17,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
        Details|contains:
            - '.dll'
@@ -7,7 +7,7 @@ references:
    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
 author: Sittikorn S
 date: 2020/05/31
-modified: 2022/10/09
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1221
@@ -16,7 +16,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|startswith: 'HKCR\ms-msdt\'
    condition: selection
 falsepositives:
@@ -7,7 +7,7 @@ references:
    - https://github.com/last-byte/PersistenceSniper
 author: frack113
 date: 2022/08/07
-modified: 2022/12/19
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1574
@@ -16,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
    filter:
        Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
@@ -9,7 +9,7 @@ references:
    - https://twitter.com/_nullbind/status/1204923340810543109
 author: Christian Burkard (Nextron Systems)
 date: 2021/07/06
-modified: 2022/11/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -18,8 +18,6 @@ logsource:
    category: registry_set
 detection:
    selection2:
-        #EventID: 13
-        EventType: SetValue
        TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
    condition: selection2
 falsepositives:
@@ -8,7 +8,7 @@ references:
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 author: Dimitrios Slamaris
 date: 2017/05/15
-modified: 2022/06/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1574.002
@@ -18,7 +18,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|endswith:
            - '\Services\DHCPServer\Parameters\CalloutDlls'
            - '\Services\DHCPServer\Parameters\CalloutEnabled'
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
 author: frack113
 date: 2022/01/16
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1070.005
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\'
        TargetObject|endswith:
            - 'AutoShareWks'
@@ -8,7 +8,7 @@ references:
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/01
-modified: 2023/01/18
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
 logsource:
@@ -16,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection_main:
-        EventType: SetValue
        TargetObject|contains: '\System\CurrentControlSet\Control\WMI\Autologger\'
    selection_values:
        TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
 author: frack113
 date: 2022/01/09
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.004
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
        #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
        #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
@@ -8,7 +8,7 @@ references:
    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
 author: frack113, Nasreddine Bencherchali
 date: 2022/03/18
-modified: 2022/11/17
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -17,7 +17,6 @@ logsource:
    product: windows
 detection:
    selection_set_1:
-        EventType: SetValue
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools'
            - 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
@@ -28,7 +27,6 @@ detection:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
        Details: 'DWORD (0x00000001)'
    selection_set_0:
-        EventType: SetValue
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'
@@ -3,6 +3,7 @@ id: ab871450-37dc-4a3a-997f-6662aa8ae0f1
 description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
 status: experimental
 date: 2022/10/25
+modified: 2023/08/17
 author: Nasreddine Bencherchali (Nextron Systems)
 references:
    - https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
@@ -15,7 +16,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains|all:
            - '\SOFTWARE\'
            - '\Microsoft\Office\'
@@ -6,6 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md
 author: frack113
 date: 2022/10/02
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience'
        Details: 'DWORD (0x00000000)'
    condition: selection
@@ -6,6 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 author: frack113
 date: 2022/08/19
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: 'Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience'
        Details: 'DWORD (0x00000000)'
    condition: selection
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
 author: frack113
 date: 2022/04/04
-modified: 2022/09/09
+modified: 2023/08/17
 tags:
    - attack.impact
    - attack.t1490
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|contains:
            - '\Policies\Microsoft\Windows NT\SystemRestore'
            - '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe
 author: frack113
 date: 2022/01/05
-modified: 2022/08/06
+modified: 2023/08/17
 tags:
    - attack.privilege_escalation
    - attack.defense_evasion
@@ -16,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
        Details: DWORD (0x00000000)
    condition: selection
@@ -7,6 +7,7 @@ references:
    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
 author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
 date: 2022/08/01
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -15,7 +16,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\Start'
        Details: 'DWORD (0x00000004)'
    condition: selection
@@ -6,6 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
 author: frack113
 date: 2022/08/19
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.004
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith:
            - \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
            - \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
@@ -7,7 +7,7 @@ references:
    - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/04
-modified: 2023/04/05
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.002
@@ -16,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
        TargetObject|endswith: '\Enabled'
        Details: 'DWORD (0x00000000)'
@@ -6,7 +6,7 @@ references:
    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
 author: Austin Songer @austinsonger
 date: 2021/08/04
-modified: 2022/08/05
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride'
        Details: 'DWORD (00000001)'
    condition: selection
@@ -6,6 +6,7 @@ references:
    - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
 author: Florian Roth (Nextron Systems)
 date: 2022/07/04
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled'
        Details: 'DWORD (0x00000000)'
    condition: selection
@@ -6,7 +6,7 @@ references:
    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
 author: Austin Songer @austinsonger
 date: 2021/08/04
-modified: 2022/07/04
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\Policies\Microsoft\Windows Defender\PUAProtection'
        Details: 'DWORD (0x00000000)'
    condition: selection
@@ -6,7 +6,7 @@ references:
    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
 author: Austin Songer @austinsonger
 date: 2021/08/04
-modified: 2022/04/21
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\Microsoft\Windows Defender\Features\TamperProtection'
        Details: DWORD (0x00000000)
    filter_msmpeng_client: # only disabled temporarily during updates
@@ -6,6 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 author: frack113
 date: 2022/08/19
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'
        Details: 'DWORD (0x00000001)'
    condition: selection
@@ -13,7 +13,7 @@ references:
    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/21
-modified: 2022/10/21
+modified: 2023/08/17
 tags:
    - attack.persistence
 logsource:
@@ -21,7 +21,6 @@ logsource:
    product: windows
 detection:
    root:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
    selection_autorun:
        # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
@@ -12,7 +12,7 @@ references:
    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
 author: Austin Songer
 date: 2021/07/22
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1140
@@ -22,15 +22,12 @@ logsource:
    category: registry_set
 detection:
    selection_edge:
-        EventType: SetValue
        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
        Details: DWORD (0x00000001)
    selection_chrome:
-        EventType: SetValue
        TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
        Details: 'secure'
    selection_firefox:
-        EventType: SetValue
        TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
        Details: DWORD (0x00000001)
    condition: 1 of selection_*
@@ -12,7 +12,7 @@ references:
    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
 author: Florian Roth (Nextron Systems)
 date: 2017/05/08
-modified: 2023/02/05
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1574.002
@@ -22,7 +22,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
    condition: selection
 falsepositives:
@@ -19,7 +19,7 @@ references:
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/06/05
-modified: 2022/12/09
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -29,11 +29,9 @@ logsource:
    category: registry_set
 detection:
    selection_etw_enabled:
-        EventType: SetValue
        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
        Details: 'DWORD (0x00000000)'
    selection_complus:
-        EventType: SetValue
        TargetObject|endswith:
            - '\COMPlus_ETWEnabled'
            - '\COMPlus_ETWFlags'
@@ -8,7 +8,7 @@ references:
    - https://www.sans.org/cyber-security-summit/archives
 author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
 date: 2020/09/10
-modified: 2022/06/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.privilege_escalation
@@ -19,7 +19,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|endswith:
            - '\COR_ENABLE_PROFILING'
            - '\COR_PROFILER'
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
 author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
 date: 2022/06/15
-modified: 2022/09/09
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -15,7 +15,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
        Details: 'DWORD (0x00000001)'
    condition: selection
@@ -6,6 +6,7 @@ references:
    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
 author: D3F7A5105
 date: 2023/01/02
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.002
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\File'
    filter:
@@ -6,6 +6,7 @@ references:
    - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/05
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection_key:
-        EventType: SetValue
        TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications'
    selection_paths:
        TargetObject|contains:
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/mrd0x/status/1461041276514623491
 author: Andreas Hunkeler (@Karneades)
 date: 2021/11/19
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
 logsource:
@@ -16,7 +16,6 @@ detection:
    selection:
        TargetObject|contains: 'Classes\.'
        Details: 'exefile'
-        EventType: SetValue
    condition: selection
 falsepositives:
    - Unknown
@@ -7,6 +7,7 @@ references:
    - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/21
+modified: 2023/08/17
 tags:
    - attack.persistence
 logsource:
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs\Debugger'
    condition: selection
 falsepositives:
@@ -7,6 +7,7 @@ references:
    - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/21
+modified: 2023/08/17
 tags:
    - attack.persistence
 logsource:
@@ -14,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32\(Default)'
    filter:
        Details: 'C:\Windows\System32\hhctrl.ocx'
@@ -8,7 +8,7 @@ references:
    - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A
 author: frack113
 date: 2022/01/22
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1137
@@ -17,11 +17,9 @@ logsource:
    product: windows
 detection:
    selection_HideFileExt:
-        EventType: SetValue
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt'
        Details: 'DWORD (0x00000001)'
    selection_Hidden:
-        EventType: SetValue
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
        Details: 'DWORD (0x00000002)'
    condition: 1 of selection_*
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
 author: frack113
 date: 2022/04/02
-modified: 2022/06/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1564.001
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject:
            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
 author: frack113
 date: 2022/03/18
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection_set_1:
-        EventType: SetValue
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth'
@@ -24,7 +23,6 @@ detection:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
        Details: 'DWORD (0x00000001)'
    selection_set_0:
-        EventType: SetValue
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor'
@@ -13,6 +13,7 @@ references:
    - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/26
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562
@@ -21,7 +22,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
            - 'Index'
@@ -7,7 +7,7 @@ references:
    - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
 author: frack113
 date: 2022/04/04
-modified: 2022/06/26
+modified: 2023/08/17
 tags:
    - attack.impact
    - attack.t1490
@@ -16,7 +16,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
@@ -9,6 +9,7 @@ references:
    - https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/16
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
 logsource:
@@ -16,7 +17,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize'
        Details:
            - 'DWORD (0x00000001)' # Home Page
@@ -6,6 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
 author: frack113
 date: 2022/12/11
+modified: 2023/08/17
 tags:
    - attack.impact
    - attack.t1491.001
@@ -14,7 +15,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
@@ -8,6 +8,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
 author: frack113
 date: 2022/05/28
+modified: 2023/08/17
 tags:
    - attack.command_and_control
    - attack.t1105
@@ -16,7 +17,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
    condition: selection
 falsepositives:
@@ -13,6 +13,7 @@ references:
    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
 author: frack113
 date: 2023/01/13
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -21,7 +22,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin'
        Details: 'DWORD (0x00000001)'
    condition: selection
@@ -8,6 +8,7 @@ references:
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
 author: '@pbssubhash'
 date: 2022/12/08
+modified: 2023/08/17
 tags:
    - attack.credential_access
    - attack.t1003.001
@@ -16,7 +17,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
            - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
@@ -10,7 +10,7 @@ references:
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
 author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
 date: 2017/11/10
-modified: 2022/11/26
+modified: 2023/08/17
 tags:
    - attack.execution
    - attack.t1059.005
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
        Details|startswith: '%AppData%\Roaming\Oracle\bin\'
    condition: selection
@@ -9,7 +9,7 @@ references:
    - https://redcanary.com/blog/blue-mockingbird-cryptominer/
 author: Trent Liffick (@tliffick)
 date: 2020/05/14
-modified: 2022/11/26
+modified: 2023/08/17
 tags:
    - attack.execution
    - attack.t1112
@@ -19,7 +19,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
    condition: selection
 falsepositives:
@@ -9,6 +9,7 @@ references:
    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
 author: frack113
 date: 2022/11/18
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -17,7 +18,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
    condition: selection
 falsepositives:
@@ -7,7 +7,7 @@ references:
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
-modified: 2022/06/26
+modified: 2023/08/17
 tags:
    - attack.execution
    - attack.t1204.002
@@ -16,7 +16,6 @@ logsource:
    category: registry_set
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
    condition: selection
 falsepositives:
@@ -10,7 +10,7 @@ references:
    - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/23
-modified: 2023/02/02
+modified: 2023/08/17
 tags:
    - attack.credential_access
    - attack.t1003
@@ -19,7 +19,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains|all:
            - '\System\CurrentControlSet\Services\'
            - '\NetworkProvider'
@@ -6,6 +6,7 @@ references:
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/23
+modified: 2023/08/17
 tags:
    - attack.persistence
 logsource:
@@ -13,7 +14,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
        TargetObject|endswith: '\Driver'
    filter_main_sqlserver:
@@ -6,7 +6,7 @@ references:
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/23
-modified: 2023/05/26
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.t1003
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
        TargetObject|endswith:
            - '\Driver'
@@ -11,7 +11,7 @@ references:
    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
 author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
 date: 2020/05/22
-modified: 2023/06/21
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: Setvalue
        TargetObject|endswith: '\Security\AccessVBOM'
        Details: 'DWORD (0x00000001)'
    condition: selection
@@ -12,7 +12,7 @@ references:
    - https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2021/06/08
-modified: 2023/06/21
+modified: 2023/08/17
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -21,7 +21,6 @@ logsource:
    category: registry_set
 detection:
    selection_path:
-        EventType: SetValue
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Office\'
            - '\Security\ProtectedView\'
@@ -6,7 +6,7 @@ references:
    - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021
 author: frack113
 date: 2022/02/26
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
    - attack.execution
    - attack.t1559.002
@@ -15,13 +15,11 @@ logsource:
    product: windows
 detection:
    selection_word:
-        EventType: SetValue
        TargetObject|endswith: '\Word\Security\AllowDDE'
        Details:
            - 'DWORD (0x00000001)'
            - 'DWORD (0x00000002)'
    selection_excel:
-        EventType: SetValue
        TargetObject|endswith:
            - '\Excel\Security\DisableDDEServerLaunch'
            - '\Excel\Security\DisableDDEServerLookup'
@@ -7,7 +7,7 @@ references:
    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2021/04/05
-modified: 2023/02/08
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.command_and_control
@@ -19,7 +19,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
        Details|contains: '0x00000001'
    condition: selection
@@ -7,7 +7,7 @@ references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
 author: '@ScoubiMtl'
 date: 2021/04/05
-modified: 2023/02/08
+modified: 2023/08/17
 tags:
    - attack.persistence
    - attack.command_and_control
@@ -19,7 +19,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\Outlook\Security\Level'
        Details|contains: '0x00000001' # Enable all Macros
    condition: selection
--- a/Show More
+++ b/Show More