Merge pull request #2046 from frack113/fix_Class

Fix invalid registry _Class

rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml

@@ -4,39 +4,42 @@ status: experimental
 description: Detects registry keys created in OceanLotus (also known as APT32) attacks
 references:
     - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
+    - https://github.com/eset/malware-ioc/tree/master/oceanlotus
 tags:
     - attack.defense_evasion
     - attack.t1112
 author: megan201296, Jonhnathan Ribeiro
 date: 2019/04/14
-modified: 2021/09/13
+modified: 2021/09/17
 logsource:
     category: registry_event
     product: windows
 detection:
-    selection:       
-        TargetObject: 
-            - 'HKCU\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+    ioc_1:       
+        TargetObject: 'HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+    ioc_2:
+        TargetObject|startswith:
+            - HKCU\SOFTWARE\App\
+            - HKLM\SOFTWARE\App\
+        TargetObject|contains:
+            - AppXbf13d4ea2945444d8b13e2121cb6b663\
+            - AppX70162486c7554f7f80f481985d67586d\
+            - AppX37cc7fdccd644b4f85f4b22d5a3f105a\
         TargetObject|endswith:
-              # covers HKU\* and HKLM..
-            - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
-            - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
-            - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
-            - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
-            - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
-            - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
+            - Application
+            - DefaultIcon
     selection2:
         TargetObject|startswith:
             - 'HKCU\'
         TargetObject|contains:
             # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
-            - '_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
+            - 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
             # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
-            - '_Classes\AppX3bbba44c6cae4d9695755183472171e2\'
+            - 'Classes\AppX3bbba44c6cae4d9695755183472171e2\'
             # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
-            - '_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
-            - '_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
-    condition: selection or selection2
+            - 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
+            - 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+    condition: ioc_1 or ioc_2 or selection2
 falsepositives:
     - Unknown
 level: critical

rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml

@@ -6,7 +6,7 @@ references:
     - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
 author: Kutepov Anton, oscd.community
 date: 2019/10/23
-modified: 2019/11/07
+modified: 2021/09/17
 tags:
     - attack.persistence
     - attack.t1122 # an old one
@@ -19,7 +19,7 @@ detection:
         EventType: 'CreateKey'  # don't want DeleteKey events
         TargetObject|contains|all: 
             - 'HKU\'
-            - '_Classes\CLSID\'
+            - 'Classes\CLSID\'
             - '\TreatAs'
     condition: selection
 falsepositives:

rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml

@@ -7,17 +7,15 @@ references:
     - https://github.com/hfiref0x/UACME
 author: Omer Yampel, Christian Burkard
 date: 2017/03/17
-modified: 2021/08/31
+modified: 2021/09/17
 logsource:
     category: registry_event
     product: windows
 detection:
     selection1:
-        # usrclass.dat is mounted on HKU\USERSID_Classes\...
-        TargetObject|startswith: 'HKU\'
-        TargetObject|endswith: '_Classes\exefile\shell\runas\command\isolatedCommand'
+        TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand
     selection2:
-        TargetObject|endswith: '-1???_Classes\Folder\shell\open\command\SymbolicLinkValue'
+        TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue
         Details|contains: '-1???\Software\Classes\'
     condition: 1 of selection*
 tags:

rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml

@@ -3,6 +3,7 @@ id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
 description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
 author: Christian Burkard
 date: 2021/08/30
+modified: 2021/09/17
 status: experimental
 references:
     - https://github.com/hfiref0x/UACME
@@ -17,14 +18,14 @@ logsource:
     product: windows
 detection:
     selection1:
-        TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue'
+        TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
         Details|contains: '\Software\Classes\{'
     selection2:
-        TargetObject|endswith: '_Classes\ms-settings\shell\open\command\DelegateExecute'
+        TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
     selection3:
         TargetObject|endswith: 
-            - '_Classes\ms-settings\shell\open\command\(Default)'
-            - '_Classes\exefile\shell\open\command\(Default)'
+            - 'Classes\ms-settings\shell\open\command\(Default)'
+            - 'Classes\exefile\shell\open\command\(Default)'
     filter_sel3:
         Details: '(Empty)'
     condition: selection1 or selection2 or (selection3 and not filter_sel3)