diff --git a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml index 01646bff3..6c33295ce 100644 --- a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml @@ -7,12 +7,13 @@ references: - https://attack.mitre.org/techniques/T1037/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md date: 2019/01/12 -modified: 2022/03/26 +modified: 2022/06/26 logsource: category: registry_add product: windows detection: selection: + EventType: CreateKey TargetObject|contains: 'UserInitMprLogonScript' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml b/rules/windows/registry/registry_add/registry_add_mal_netwire.yml index 753e94bb5..94dfc6975 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_mal_netwire.yml @@ -13,16 +13,17 @@ references: - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ date: 2021/10/07 -modified: 2022/03/26 +modified: 2022/06/26 author: Christopher Peacock level: high logsource: product: windows category: registry_add detection: - selection1: + selection: + EventType: CreateKey TargetObject|contains: '\software\NetWire' - condition: selection1 + condition: selection falsepositives: - Unknown tags: diff --git a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml b/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml index c3abe799e..e9c902311 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml +++ b/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml @@ -7,12 +7,13 @@ references: - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ author: megan201296 date: 2019/02/13 -modified: 2021/03/26 +modified: 2021/06/26 logsource: product: windows category: registry_add detection: selection: + EventType: CreateKey TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\' filter: TargetObject|contains: diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml index f65da7390..7f17c2c24 100755 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml @@ -5,13 +5,14 @@ description: Detects the usage of Sysinternals Tools due to accepteula key being references: - https://twitter.com/Moti_B/status/1008587936735035392 date: 2017/08/28 -modified: 2022/03/26 +modified: 2022/06/26 author: Markus Neis logsource: product: windows category: registry_add detection: selection: + EventType: CreateKey TargetObject|endswith: '\EulaAccepted' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml index e48efbae7..7d197391c 100644 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml @@ -3,7 +3,7 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. status: experimental date: 2020/05/02 -modified: 2022/03/26 +modified: 2022/06/26 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 @@ -13,6 +13,7 @@ logsource: category: registry_add detection: selection: + EventType: CreateKey TargetObject|contains: '\Software\Sysinternals\SDelete' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 4d5a1305b..35f80a902 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -3,7 +3,7 @@ id: 1547e27c-3974-43e2-a7d7-7f484fb928ec description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. author: frack113 date: 2022/04/04 -modified: 2022/04/29 +modified: 2022/06/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network @@ -13,6 +13,7 @@ logsource: product: windows detection: selection: + EventType: Setvalue TargetObject|startswith: - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\' - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\' diff --git a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml index 9b419a609..92114070e 100644 --- a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml @@ -7,12 +7,13 @@ references: - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass - https://www.exploit-db.com/exploits/47696 date: 2020/09/27 -modified: 2022/03/26 +modified: 2022/06/26 logsource: category: registry_set product: windows detection: selection: + EventType: Setvalue TargetObject: 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml index 423cf4f0e..565fffe53 100755 --- a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -8,12 +8,13 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx date: 2017/05/15 -modified: 2022/03/26 +modified: 2022/06/26 logsource: category: registry_set product: windows detection: selection: + EventType: Setvalue TargetObject|endswith: - '\Services\DHCPServer\Parameters\CalloutDlls' - '\Services\DHCPServer\Parameters\CalloutEnabled' diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index ba9829770..08cfbfacd 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -3,6 +3,7 @@ id: 5de03871-5d46-4539-a82d-3aa992a69a83 description: Detects the modification of the registry to disable a system restore on the computer author: frack113 date: 2022/04/04 +modified: 2022/06/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry @@ -11,6 +12,7 @@ logsource: product: windows detection: selection: + EventType: Setvalue TargetObject|startswith: - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' diff --git a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml index 90c29abd7..e6caec211 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml @@ -8,12 +8,13 @@ references: - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors - https://www.sans.org/cyber-security-summit/archives date: 2020/09/10 -modified: 2022/03/26 +modified: 2022/06/26 logsource: category: registry_set product: windows detection: selection: + EventType: Setvalue TargetObject|endswith: - '\COR_ENABLE_PROFILING' - '\COR_PROFILER' diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml index 0e804d7ce..d50a1a9ac 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -3,6 +3,7 @@ id: 5a5152f1-463f-436b-b2f5-8eceb3964b42 description: Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users. author: frack113 date: 2022/04/02 +modified: 2022/06/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry @@ -11,6 +12,7 @@ logsource: product: windows detection: selection: + EventType: Setvalue TargetObject: - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index 4e36d0822..e08faf0b6 100644 --- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -3,6 +3,7 @@ id: d223b46b-5621-4037-88fe-fda32eead684 description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry author: frack113 date: 2022/04/04 +modified: 2022/06/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store @@ -12,6 +13,7 @@ logsource: product: windows detection: selection: + EventType: Setvalue TargetObject|contains: - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\' - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\' diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index 8bbade159..9931e5066 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -4,7 +4,7 @@ related: - id: c3198a27-23a0-4c2c-af19-e5328d49680e type: derived date: 2020/05/14 -modified: 2022/03/26 +modified: 2022/06/26 status: experimental description: Attempts to detect system changes made by Blue Mockingbird references: @@ -15,6 +15,7 @@ logsource: category: registry_set detection: selection: + EventType: Setvalue TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml index cccb2b37f..a15053708 100644 --- a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml +++ b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml @@ -7,12 +7,13 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/1 - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html date: 2020/05/02 -modified: 2022/03/26 +modified: 2022/06/26 logsource: product: windows category: registry_set detection: selection: + EventType: Setvalue TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_office_security.yml b/rules/windows/registry/registry_set/registry_set_office_security.yml index 9ffd9993b..fe5e28dba 100644 --- a/rules/windows/registry/registry_set/registry_set_office_security.yml +++ b/rules/windows/registry/registry_set/registry_set_office_security.yml @@ -4,7 +4,7 @@ status: experimental description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) author: Trent Liffick (@tliffick) date: 2020/05/22 -modified: 2022/03/26 +modified: 2022/06/26 references: - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ @@ -14,6 +14,7 @@ logsource: product: windows detection: selection: + EventType: Setvalue TargetObject|endswith: - '\Security\Trusted Documents\TrustRecords' - '\Security\AccessVBOM' diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml index 5a64c64f4..4570449f0 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml @@ -6,17 +6,17 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 author: Tobias Michalski date: 2021/06/10 -modified: 2022/03/26 +modified: 2022/06/26 logsource: product: windows category: registry_set detection: selection1: + EventType: SetValue TargetObject|contains: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: - EventType: SetValue TargetObject|endswith: Stamp Details: DWORD (0x00000001) selectionUserDefined: diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml index d400ec7a0..3b9382b7a 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml @@ -7,12 +7,13 @@ references: - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us author: Tobias Michalski date: 2021/06/09 -modified: 2022/03/26 +modified: 2022/06/26 logsource: product: windows category: registry_set detection: selection_1: + EventType: SetValue TargetObject|contains: - '\Software\Microsoft\Office\' - '\Outlook\WebView\' diff --git a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml index 3fb2126a5..7f11c554f 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -3,6 +3,7 @@ id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 description: Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging author: frack113 date: 2022/04/02 +modified: 2022/06/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled @@ -11,6 +12,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|endswith: - SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\EnableModuleLogging - SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging diff --git a/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml b/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml index c4447c650..fa8a24b10 100755 --- a/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml @@ -9,12 +9,13 @@ references: - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ date: 2019/04/03 -modified: 2022/03/26 +modified: 2022/06/26 logsource: category: registry_set product: windows detection: selection_reg: + EventType: SetValue TargetObject|contains: - '\services\TermService\Parameters\ServiceDll' - '\Control\Terminal Server\fSingleSessionPerUser' diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index 314f753d4..bb3268bd4 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -7,12 +7,13 @@ references: - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2022/03/26 +modified: 2022/06/26 logsource: category: registry_set product: windows detection: selection1: + EventType: SetValue TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand selection2: EventType: SetValue