security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2262 from frack113/dfir_20211115

Browse Source 
DFIR exchange-exploit-leads-to-domain-wide-ransomware
This commit is contained in:
frack113
2021-11-16 06:31:19 +01:00
committed by GitHub
parent ad647a6ecb 51744b31b4
commit d4317d60a4
1 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_pc_susp_reg_bitlocker.yml
+36
View File
@@ -0,0 +1,36 @@
title: Suspicious Reg Add BitLocker
id: 0e0255bf-2548-47b8-9582-c0955c9283f5
status: experimental
description: Suspicious add key for BitLocker
references:
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
tags:
- attack.impact
- attack.t1486
author: frack113
date: 2021/11/15
logsource:
category: process_creation
product: windows
detection:
set:
CommandLine|contains|all:
- 'REG'
- 'ADD'
- 'HKLM\SOFTWARE\Policies\Microsoft\FVE'
- '/v'
- '/f'
key:
CommandLine|contains:
- 'EnableBDEWithNoTPM'
- 'UseAdvancedStartup'
- 'UseTPM'
- 'UseTPMKey'
- 'UseTPMKeyPIN'
- 'RecoveryKeyMessageSource'
- 'UseTPMPIN'
- 'RecoveryKeyMessage'
condition: set and key
falsepositives:
- unknown
level: medium