feat: generic registry events compatible with native audit logging

2021-04-26 09:31:36 +02:00
parent 66d0f910dd
commit d24f0b8988
11 changed files with 4 additions and 26 deletions
@@ -54,11 +54,6 @@ detection:
        TargetObject|endswith: 
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
-        EventType: 'SetValue'
-    selection_reg2:
-        TargetObject|endswith: '\Control\SecurityProviders\WDigest\UseLogonCredential'
-        EventType: 'SetValue'
-        Details: 'DWORD (0x00000001)'
 ---
 logsource:
    category: process_creation
@@ -18,8 +18,6 @@ detection:
    selection:
        TargetObject:
            - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
-        EventType:
-            - SetValue
    condition: selection
 falsepositives:
    - unknown
@@ -18,10 +18,6 @@ logsource:
 detection:        
    selection:
        TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
-        EventType:
-            - SetValue
-            - DeleteValue
-            - CreateValue
        Details|contains:
            - '.dll'
            - '.exe'
@@ -19,10 +19,6 @@ detection:
            - '\Security\Trusted Documents\TrustRecords'
            - '\Security\AccessVBOM'
            - '\Security\VBAWarnings'
-        EventType:
-            - SetValue
-            - DeleteValue
-            - CreateValue
    condition: sec_settings
 falsepositives:
    - Valid Macros and/or internal documents
@@ -16,9 +16,6 @@ detection:
    selection:       
        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
        Details|contains: 'MonitorProcess'
-        EventType:
-            - SetValue
-            - CreateValue
    condition: selection
 falsepositives:
    - Unknown
@@ -15,9 +15,6 @@ logsource:
 detection:
    selection:       
        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
-        EventType:
-            - SetValue
-            - CreateValue
    condition: selection
 falsepositives:
    - Unknown
@@ -15,7 +15,6 @@ logsource:
    category: registry_event
 detection:
    selection:
-      EventType: 'SetValue'
      TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components'
      TargetObject|endswith: '\StubPath'
    condition: selection
@@ -31,7 +31,6 @@ detection:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
-        EventType: 'SetValue'
    condition: 1 of them
 ---
 logsource:
@@ -13,7 +13,6 @@ detection:
    selection_reg1:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
-        EventType: SetValue
    selection_reg2:
        - TargetObject|contains|all:
            - '\Image File Execution Options\'
@@ -19,7 +19,6 @@ detection:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
            - '\Command'
        Details|contains: '.exe'
-        EventType: 'SetValue'
    filter:
        Details|contains: 
            - '\system32\CompatTelRunner.exe'
@@ -14,10 +14,13 @@ logsources:
        product: windows
        conditions:
            EventID: 4657
+            OperationType:
+                - 'New registry value created'
+                - 'Existing registry value modified'
        rewrite:
            product: windows
            service: security
 fieldmappings:
    Image: NewProcessName
    ParentImage: ParentProcessName
-    EventType: OperationType
+    Details: NewValue