From 539400c3844ec147a84409bedffd332e5c02da09 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 8 Oct 2020 14:47:22 +0200 Subject: [PATCH 1/5] Creation of win_regini --- rules/windows/process_creation/win_regini.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/win_regini.yml diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml new file mode 100644 index 000000000..2f7d92227 --- /dev/null +++ b/rules/windows/process_creation/win_regini.yml @@ -0,0 +1,26 @@ +title: Modifies the Registry From a File +id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 +status: experimental +description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini +tags: + - attack.t1112 + - attack.defense_evasion +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/08 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regini.exe' + condition: selection +fieds: + - ParentImage + - CommandLine +falsepositives: + - Legitimate import of keys +level: medium \ No newline at end of file From 0e07ea3e709c366419a5dceea80495f09504c5bc Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 8 Oct 2020 15:04:09 +0200 Subject: [PATCH 2/5] Corrected author --- rules/windows/process_creation/win_regini.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index 2f7d92227..eebf01df8 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -9,7 +9,7 @@ references: tags: - attack.t1112 - attack.defense_evasion -author: Oddvar Moe, Sander Wiebing, oscd.community +author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/08 logsource: category: process_creation From e6ad52c102fcb93131c0b87cc37e2b8b7e445da0 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 8 Oct 2020 15:11:57 +0200 Subject: [PATCH 3/5] Corrected falsepositives --- rules/windows/process_creation/win_regini.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index eebf01df8..da290bc85 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -22,5 +22,5 @@ fieds: - ParentImage - CommandLine falsepositives: - - Legitimate import of keys + - Legitimate modification of keys level: medium \ No newline at end of file From 3ab244c70ffc1d5f54e3e4eb29335ae5ca3ff488 Mon Sep 17 00:00:00 2001 From: Sander Date: Mon, 12 Oct 2020 09:55:34 +0200 Subject: [PATCH 4/5] regini.exe ADS rule --- rules/windows/process_creation/win_regini.yml | 6 +++-- .../process_creation/win_regini_ads.yml | 27 +++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 rules/windows/process_creation/win_regini_ads.yml diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index da290bc85..51ab7d7f9 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -17,10 +17,12 @@ logsource: detection: selection: Image|endswith: '\regini.exe' - condition: selection + filter: + CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule + condition: selection and not filter fieds: - ParentImage - CommandLine falsepositives: - Legitimate modification of keys -level: medium \ No newline at end of file +level: low \ No newline at end of file diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml new file mode 100644 index 000000000..967c1588a --- /dev/null +++ b/rules/windows/process_creation/win_regini_ads.yml @@ -0,0 +1,27 @@ +title: Modifies the Registry From a ADS +id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 +status: experimental +description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini +tags: + - attack.t1112 + - attack.defense_evasion +author: Eli Salem, Sander Wiebing, oscd.community +date: 2020/10/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regini.exe' + CommandLine|re: ':[^ \\]' + condition: selection +fieds: + - ParentImage + - CommandLine +falsepositives: + - Unknown +level: high \ No newline at end of file From 8c1bd4e466bb4d4cdceebd3d0d24c55b0bcc5799 Mon Sep 17 00:00:00 2001 From: Sander Date: Mon, 12 Oct 2020 10:01:44 +0200 Subject: [PATCH 5/5] Remove redundant space --- rules/windows/process_creation/win_regini_ads.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml index 967c1588a..f6a238593 100644 --- a/rules/windows/process_creation/win_regini_ads.yml +++ b/rules/windows/process_creation/win_regini_ads.yml @@ -1,7 +1,7 @@ title: Modifies the Registry From a ADS id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 status: experimental -description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. +description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f