From cf9759946fad753dffec8cdab9677c888d0ddf0c Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Fri, 24 Apr 2026 23:33:55 +0545 Subject: [PATCH] Merge PR #5399 from @swachchhanda000 - Update `LSA PPL Protection Setting Modification via CommandLine` update: LSA PPL Protection Setting Modification via CommandLine - Add more keys regarding LSA PPL --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali --- ...rotection_setting_modification_via_cli.yml | 45 +++++++++++++++++++ ...on_win_reg_lsa_ppl_protection_disabled.yml | 29 ------------ 2 files changed, 45 insertions(+), 29 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_lsa_ppl_protection_setting_modification_via_cli.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml diff --git a/rules/windows/process_creation/proc_creation_win_lsa_ppl_protection_setting_modification_via_cli.yml b/rules/windows/process_creation/proc_creation_win_lsa_ppl_protection_setting_modification_via_cli.yml new file mode 100644 index 000000000..445c1e58a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lsa_ppl_protection_setting_modification_via_cli.yml @@ -0,0 +1,45 @@ +title: LSA PPL Protection Setting Modification via CommandLine +id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9 +status: test +description: | + Detects modification of LSA PPL protection settings via CommandLine. + It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory. +references: + - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ + - https://github.com/shoober420/windows11-scripts/blob/38d83331738cd713ccb42f2c4557d17a27aefd98/Windows11Tweaks.bat#L1825 +author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2022-03-22 +modified: 2026-03-13 +tags: + - attack.defense-evasion + - attack.t1562.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\reg.exe' + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'reg.exe' + - 'powershell.exe' + - 'pwsh.dll' + selection_cli_action: + CommandLine|contains|all: + - 'ControlSet' + - '\Control\Lsa' + CommandLine|contains: + - 'Set-ItemProperty' + - 'New-ItemProperty' + - ' add ' + selection_key: + CommandLine|contains: + - 'IsPplAutoEnabled' + - 'RunAsPPL' + - 'RunAsPPLBoot' + condition: all of selection_* +falsepositives: + - Unlikely +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml deleted file mode 100644 index 88aa62516..000000000 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: LSA PPL Protection Disabled Via Reg.EXE -id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9 -status: test -description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process -references: - - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ -author: Florian Roth (Nextron Systems) -date: 2022-03-22 -modified: 2023-03-26 -tags: - - attack.defense-evasion - - attack.t1562.010 -logsource: - category: process_creation - product: windows -detection: - selection_img: - - Image|endswith: '\reg.exe' - - OriginalFileName: 'reg.exe' - selection_cli: - CommandLine|contains: 'SYSTEM\CurrentControlSet\Control\Lsa' - CommandLine|contains|all: - - ' add ' - - ' /d 0' - - ' /v RunAsPPL ' - condition: all of selection_* -falsepositives: - - Unlikely -level: high