rule: SilentProcessExit monitors

2021-02-26 17:35:42 +01:00
parent 9d937705c0
commit 79acbbef9f
2 changed files with 49 additions and 0 deletions
@@ -0,0 +1,25 @@
+title: SilentProcessExit Monitor Registrytion
+id: c81fe886-cac0-4913-a511-2822d72ff505
+description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
+author: Florian Roth
+references:
+    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
+date: 2021/02/26
+tags:
+    - attack.persistence
+    - attack.t1546.012
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:       
+        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
+        Details|contain: 'MonitorProcess'
+        EventType:
+            - SetValue
+            - CreateValue
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,24 @@
+title: SilentProcessExit Monitor Registrytion for LSASS
+id: 55e29995-75e7-451a-bef0-6225e2f13597
+description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory
+author: Florian Roth
+references:
+    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
+    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+date: 2021/02/26
+tags:
+    - attack.credential_access
+    - attack.t1003.007
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:       
+        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
+        EventType:
+            - SetValue
+            - CreateValue
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical