Disabled IE Security Features

rules/windows/process_creation/win_susp_disable_ie_features.yml

@@ -0,0 +1,26 @@
+title: Disabling IE Security Features
+id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
+status: experimental
+description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
+references:
+    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
+tags:
+    - attack.t1089
+author: Florian Roth 
+date: 2020/06/19
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+         CommandLine|contains|all:
+            - ' -name IEHarden '
+            - ' -value 0 '        
+    selection2:
+         CommandLine|contains|all:
+            - ' -name DEPOff '
+            - ' -value 1 '   
+    condition: 1 of them
+falsepositives:
+    - Unknown, maybe some security software installer disables these features temporarily
+level: high