From bea46b2b9ef171d8a989a059085e85196fe7a227 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 12:13:25 +0530 Subject: [PATCH] Update to modify FP and UUID --- .github/workflows/known-FPs.csv | 1 + ..._shtinkering.yml => registry_set_lsass_usermode_dumping.yml} | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) rename rules/windows/registry/registry_set/{registry_set_lsass_usermode_dumping_lsass_shtinkering.yml => registry_set_lsass_usermode_dumping.yml} (94%) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bbb1f00d1..9b7911bb3 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,3 +44,4 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe +33efc23c-6ea2-4503-8cfe-bdf82ce8f718;Adding of a registry key for LSASS Shtinkering;\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml similarity index 94% rename from rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml rename to rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index b282b2d17..dab1b1a9c 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,5 +1,5 @@ title: Setting of a registry key's value for LSASS Shtinkering -id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. references: