Fax service persistance

rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml

@@ -0,0 +1,24 @@
+title: Change User Account Associated with the FAX Service
+id: e3fdf743-f05b-4051-990a-b66919be1743
+description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
+status: experimental
+references:
+    - https://twitter.com/dottor_morte/status/1544652325570191361
+    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
+date: 2022/07/17
+author: frack113
+level: high
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    selection:
+        TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
+    filter:
+        details|contains: NetworkService
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+tags:
+    - attack.defense_evasion
+    - attack.t1112 

rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml

@@ -0,0 +1,26 @@
+title: Change the Fax Dll
+id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513
+description: Detect possible persistance using Fax DLL load when service restart
+status: experimental
+references:
+    - https://twitter.com/dottor_morte/status/1544652325570191361
+    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
+date: 2022/07/17
+author: frack113
+level: high
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    selection:
+        TargetObject|contains|all:
+            - '\Software\Microsoft\Fax\Device Providers\'
+            - '\ImageName'
+    filter:
+        details: '%systemroot%\system32\fxst30.dll' #Windows 10
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+tags:
+    - attack.defense_evasion
+    - attack.t1112