security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update shell open key rule

Browse Source 
* Make rule more generic regarding exefile detection instead of only naming it "uac bypass"
* Add further references and attack tags
This commit is contained in:
Andreas Hunkeler
2021-11-19 14:03:56 +01:00
committed by GitHub
parent 5e96a5c151
commit 79cf80fa6b
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml → rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml
+4 -2
View File
@@ -1,6 +1,6 @@
title: UAC Bypass Using Registry Shell Open Keys
title: Shell Open Registry Keys Manipulation
id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
description: Detects the shell open key manipulation (exefile and ms-settings) and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
author: Christian Burkard
date: 2021/08/30
modified: 2021/09/17
@@ -9,10 +9,12 @@ references:
- https://github.com/hfiref0x/UACME
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
- https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
- https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
- attack.t1546.001
logsource:
category: registry_event
product: windows