Categorie registry_set

2022-03-26 10:55:05 +01:00
parent b425d04944
commit e2fbbb319d
73 changed files with 260 additions and 192 deletions
@@ -4,14 +4,9 @@ status: experimental
 description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
 references:
    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
-tags:
-    - attack.defense_evasion
-    - attack.persistence
-    - attack.t1112
-    - attack.t1053
 author: Sreeman
 date: 2020/09/29
-modified: 2022/01/13
+modified: 2022/03/26
 fields:
    - EventID
    - CommandLine
@@ -19,7 +14,7 @@ fields:
    - Details
 logsource:
    product: windows
-    category: registry_event
+    category: registry_set
 detection:
    selection:
        EventType: SetValue
@@ -41,4 +36,9 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: high
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1112
+    - attack.t1053
@@ -5,12 +5,12 @@ description: |
  A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
 author: frack113
 date: 2021/12/30
-modified: 2022/02/09
+modified: 2022/03/269
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/02/16
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_sett
    product: windows
 detection:
    classes_base:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/03/05
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    main_selection:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/02/16
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    system_control_base:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/03/03
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    current_version_base:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/03/03
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    nt_current_version_base:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/02/16
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    ie:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/03/03
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    office:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    session_manager_base:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    scripts_base:
@@ -25,7 +25,6 @@ detection:
            - '\Shutdown'
            - '\Logon'
            - '\Logoff'
-
    filter:
        Details: '(Empty)'
    condition: scripts_base and scripts and not filter
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/02/16
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    winsock_parameters_base:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/03/05
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    wow_current_version_base:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    wow_classes_base:
@@ -11,9 +11,9 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/02/16
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    wow_nt_current_version_base:
@@ -3,12 +3,13 @@ id: 83314318-052a-4c90-a1ad-660ece38d276
 description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
 author: frack113
 date: 2022/01/24
+modified: 2022/03/26
 status: experimental
 references:
    - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -3,13 +3,14 @@ id: 46dd5308-4572-4d12-aa43-8938f0184d4f
 description: Bypasses User Account Control using a fileless method
 author: frack113
 date: 2022/01/05
+modified: 2022/03/26
 status: experimental
 references:
    - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
    - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -3,12 +3,13 @@ id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
 description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
 author: frack113
 date: 2022/01/05
+modified: 2022/03/26
 status: experimental
 references:
    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -3,12 +3,13 @@ id: 724ea201-6514-4f38-9739-e5973c34f49a
 description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC
 author: frack113
 date: 2022/01/06
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
    - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -6,11 +6,12 @@ description: |
  Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
 author: frack113
 date: 2022/01/01
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -3,12 +3,13 @@ id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
 description: Hides the file extension through modification of the registry
 author: frack113
 date: 2022/01/22
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
    - https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection_domains:
@@ -3,11 +3,12 @@ id: b64a026b-8deb-4c1d-92fd-98893209dff1
 description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
 author: frack113
 date: 2021/12/28
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    chrome_ext:
@@ -5,18 +5,12 @@ description: Detects known malicious service installs that appear in cases in wh
    In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.
 status: experimental
 date: 2021/06/29
+modified: 2022/03/26
 author: Wojciech Lesicki
-tags:
-    - attack.execution
-    - attack.privilege_escalation
-    - attack.lateral_movement 
-    - attack.t1021.002
-    - attack.t1543.003
-    - attack.t1569.002
 references:
    - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection1:
@@ -34,4 +28,11 @@ detection:
    condition: selection1 and (selection2 or selection3)
 falsepositives:
    - Unknown
-level: critical
+level: critical
+tags:
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.lateral_movement 
+    - attack.t1021.002
+    - attack.t1543.003
+    - attack.t1569.002
@@ -5,19 +5,16 @@ related:
      type: derived
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
-modified: 2022/01/13
+modified: 2022/03/26
 author: Ján Trenčanský, frack113, AlertIQ
 references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
 status: experimental
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001
 logsource:
    product: windows
-    category: registry_event
+    category: registry_set
 detection:
    tamper_registry:
        EventType: SetValue
@@ -35,4 +32,7 @@ detection:
    condition: tamper_registry or selection2
 falsepositives:
    - Administrator actions
-level: high
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
@@ -5,17 +5,14 @@ related:
      type: derived
 description: Detects the Setting of Windows Defender Exclusions
 date: 2021/07/06
-modified: 2021/09/21
+modified: 2022/03/26
 author: Christian Burkard
 references:
    - https://twitter.com/_nullbind/status/1204923340810543109
 status: test
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001
 logsource:
    product: windows
-    category: registry_event
+    category: registry_set
 detection:
    selection2:
        #EventID: 13
@@ -24,4 +21,7 @@ detection:
    condition: selection2
 falsepositives:
    - Administrator actions
-level: medium
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
@@ -2,17 +2,15 @@ title: Windows Defender Real-Time Protection Disabled
 id: fd115e64-97c7-491f-951c-fc8da7e042fa
 description: Detects disabling Windows Defender Real-Time Protection by modifying registry
 date: 2021/10/18
+modified: 2022/03/26
 author: AlertIQ
 references:
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 
 status: experimental
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001
 logsource:
    product: windows
-    category: registry_event
+    category: registry_set
 detection:
    tamper_registry1:
        EventType: SetValue
@@ -33,4 +31,7 @@ detection:
    condition: tamper_registry1 or tamper_registry2
 falsepositives:
    - Administrator actions
-level: high
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
@@ -3,11 +3,12 @@ id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
 description: Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
 author: frack113
 date: 2022/01/16
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -3,11 +3,12 @@ id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
 description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
 author: frack113
 date: 2022/01/09
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -6,8 +6,9 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md
 author: frack113
 date: 2022/03/18
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection_set_1: 
@@ -3,18 +3,15 @@ id: 7c637634-c95d-4bbf-b26c-a82510874b34
 description: Disable Microsoft Office Security Features by registry
 status: experimental
 date: 2021/06/08
+modified: 2022/03/26
 author: frack113
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
    - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
    - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
-
 logsource:
    product: windows
-    category: registry_event
+    category: registry_set
    definition: key must be add to the sysmon configuration to works
                    # Sysmon
                    # <TargetObject name="T1562,office" condition="end with">\VBAWarnings</TargetObject> 
@@ -35,3 +32,6 @@ detection:
 falsepositives:
    - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
@@ -3,11 +3,12 @@ id: 48437c39-9e5f-47fb-af95-3d663c3f2919
 description: Disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
 author: frack113
 date: 2022/01/05
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -3,14 +3,12 @@ id: bf9e1387-b040-4393-9851-1598f8ecfae9
 description: Detects disabling Windows Defender Exploit Guard Network Protection
 status: experimental
 date: 2021/08/04
+modified: 2022/03/26
 author: Austin Songer @austinsonger
 references:
    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -21,3 +19,6 @@ detection:
 falsepositives:
    - Unknown
 level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
@@ -3,14 +3,12 @@ id: 8ffc5407-52e3-478f-9596-0a7371eafe13
 description: Detects disabling Windows Defender PUA protection
 status: experimental
 date: 2021/08/04
+modified: 2022/03/26
 author: Austin Songer @austinsonger
 references:
    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -21,3 +19,6 @@ detection:
 falsepositives:
    - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
@@ -3,14 +3,12 @@ id: 93d298a1-d28f-47f1-a468-d971e7796679
 description: Detects disabling Windows Defender Tamper Protection
 status: experimental
 date: 2021/08/04
+modified: 2022/03/26
 author: Austin Songer @austinsonger
 references:
    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -21,3 +19,6 @@ detection:
 falsepositives:
    - Unknown
 level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
@@ -9,10 +9,10 @@ references:
    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
 date: 2021/07/22
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
  product: windows
-  category: registry_event
+  category: registry_set
 detection:
    selection_edge:
        EventType: SetValue
@@ -14,10 +14,10 @@ references:
  - http://managed670.rssing.com/chan-5590147/all_p1.html
  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
 date: 2020/06/05
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
  product: windows
-  category: registry_event
+  category: registry_set
 detection:
  selection:
    EventType: SetValue 
@@ -3,13 +3,12 @@ id: 44a22d59-b175-4f13-8c16-cbaef5b581ff
 description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
 author: Andreas Hunkeler (@Karneades)
 date: 2021/11/19
+modified: 2022/03/26
 status: experimental
 references:
    - https://twitter.com/mrd0x/status/1461041276514623491
-tags:
-    - attack.defense_evasion
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -20,3 +19,5 @@ detection:
 falsepositives:
    - Unknown
 level: high
+tags:
+    - attack.defense_evasion
@@ -3,13 +3,14 @@ id: 5df86130-4e95-4a54-90f7-26541b40aec2
 description: Hides the file extension through modification of the registry
 author: frack113
 date: 2022/01/22
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd
    - https://unit42.paloaltonetworks.com/ransomware-families/
    - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection_HideFileExt:
@@ -6,8 +6,9 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md
 author: frack113
 date: 2022/03/18
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection_set_1: 
@@ -3,12 +3,12 @@ id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
 description: Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings
 author: frack113
 date: 2022/01/22
-modified: 2022/03/25
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection_domains:
@@ -10,9 +10,9 @@ references:
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
 author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
 date: 2017/11/10
-modified: 2022/01/13
+modified: 2022/003/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -3,11 +3,12 @@ id: 63647769-326d-4dde-a419-b925cc0caf42
 description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
 author: frack113
 date: 2022/02/26
+modified: 2022/03/26
 status: experimental
 references:
    - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection_word:
@@ -5,14 +5,11 @@ description: Detects persistence via Visual Studio Tools for Office (VSTO) add-i
 references:
    - https://twitter.com/_vivami/status/1347925307643355138
    - https://vanmieghem.io/stealth-outlook-persistence/
-tags:
-    - attack.t1137.006
-    - attack.persistence
 author: Bhabesh Raj
 date: 2021/01/10
-modified: 2022/02/09
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -36,4 +33,7 @@ detection:
    condition: selection and not 1 of filter_*
 falsepositives:
  - Legitimate Addin Installation
-level: medium
+level: medium
+tags:
+    - attack.t1137.006
+    - attack.persistence
@@ -5,16 +5,10 @@ description: Detects the modification of Outlook Security Setting to allow unpro
 references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
 author: '@ScoubiMtl'
-tags:
-    - attack.persistence
-    - attack.command_and_control
-    - attack.t1137
-    - attack.t1008
-    - attack.t1546
 date: 2021/04/05
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection_registry:
@@ -25,3 +19,9 @@ detection:
 falsepositives:
    - Unlikely
 level: medium
+tags:
+    - attack.persistence
+    - attack.command_and_control
+    - attack.t1137
+    - attack.t1008
+    - attack.t1546
@@ -6,13 +6,10 @@ references:
  - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
 author: Tobias Michalski
 date: 2021/06/10
-modified: 2022/03/05
-tags:
-  - attack.persistence
-  - attack.t1112
+modified: 2022/03/26
 logsource:
  product: windows
-  category: registry_event
+  category: registry_set
 detection:
  selection1:
    TargetObject|contains: 
@@ -35,3 +32,6 @@ fields:
 falsepositives:
  - Unknown
 level: high
+tags:
+  - attack.persistence
+  - attack.t1112
@@ -3,12 +3,13 @@ id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
 description: Change outlook email security settings
 author: frack113
 date: 2021/12/28
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md
    - https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -7,12 +7,9 @@ references:
    - https://attack.mitre.org/techniques/T1546/015/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2022/03/05
-tags:
-    - attack.persistence
-    - attack.t1546.015
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection: # Detect new COM servers in the user hive
@@ -75,3 +72,6 @@ detection:
 falsepositives:
    - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
 level: medium
+tags:
+    - attack.persistence
+    - attack.t1546.015
@@ -4,14 +4,11 @@ description: Detects that a powershell code is written to the registry as a serv
 status: experimental
 author: oscd.community, Natalia Shornikova
 date: 2020/10/06
-modified: 2022/01/13
+modified: 2022/03/26
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-tags:
-    - attack.execution
-    - attack.t1569.002
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -25,3 +22,6 @@ detection:
 falsepositives: 
 - Unknown
 level: high
+tags:
+    - attack.execution
+    - attack.t1569.002
@@ -6,9 +6,9 @@ references:
    - https://github.com/frack113/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
 author: frack113, Florian Roth
 date: 2022/03/17
-modified: 2022/03/18
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection: 
@@ -6,9 +6,9 @@ author: Roberto Rodriguez @Cyb3rWard0g
 references:
  - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html
 date: 2019/09/12
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection:
@@ -6,8 +6,9 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md
 author: frack113
 date: 2022/03/18
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection_set_1: 
@@ -3,11 +3,12 @@ id: 612e47e9-8a59-43a6-b404-f48683f45bd6
 description: Detects the modification of a ServiceDLL value in the service settings
 author: frack113
 date: 2022/02/04
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -5,12 +5,13 @@ description: |
  The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
 author: frack113
 date: 2021/12/30
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -7,12 +7,9 @@ references:
    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
 date: 2021/02/26
-modified: 2022/01/13
-tags:
-    - attack.persistence
-    - attack.t1546.012
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:   
@@ -22,4 +19,7 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: high
+level: high
+tags:
+    - attack.persistence
+    - attack.t1546.012
@@ -6,9 +6,9 @@ author: Florian Roth
 references:
  - https://twitter.com/SBousseaden/status/1410545674773467140
 date: 2020/07/01
-modified: 2022/02/09
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection:
@@ -6,9 +6,9 @@ author: Florian Roth, oscd.community
 references:
  - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
 date: 2018/07/18
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection:
@@ -6,9 +6,9 @@ references:
    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
 author: Florian Roth, Markus Neis, Sander Wiebing
 date: 2018/08/25
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -6,9 +6,9 @@ author: xknow (@xknow_infosec), xorxes (@xor_xes)
 references:
  - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
 date: 2019/04/08
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection_1:
@@ -7,9 +7,9 @@ references:
  - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
  - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
 date: 2019/10/12
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
  definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
 detection:
@@ -2,17 +2,13 @@ title: New TaskCache Entry
 id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
 description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered
 status: experimental
-tags:
-  - attack.persistence
-  - attack.t1053
-  - attack.t1053.005
 date: 2021/06/18
-modified: 2022/03/03
+modified: 2022/03/26
 references:
  - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
 author: Syed Hasan (@syedhasan009)
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection:
@@ -56,4 +52,8 @@ detection:
  condition: selection and not 1 of filter*
 falsepositives:
  - Unknown
-level: medium
+level: medium
+tags:
+  - attack.persistence
+  - attack.t1053
+  - attack.t1053.005
@@ -6,9 +6,9 @@ author: Lednyov Alexey, oscd.community
 references:
  - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
 date: 2020/10/16
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
  definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
 detection:
@@ -3,16 +3,12 @@ id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
 description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
 author: Christian Burkard
 date: 2021/08/30
-modified: 2022/01/13
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1548.002
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -25,3 +21,7 @@ detection:
 falsepositives:
    - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1548.002
@@ -3,16 +3,12 @@ id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
 description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
 author: Christian Burkard
 date: 2021/08/23
-modified: 2022/01/13
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1548.002
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -23,3 +19,7 @@ detection:
 falsepositives:
    - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1548.002
@@ -3,12 +3,12 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f
 description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
 status: experimental
 date: 2021/03/05
-modified: 2022/03/04
+modified: 2022/03/26
 author: Florian Roth
 references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -6,14 +6,11 @@ references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml
    - https://twitter.com/Hexacorn/status/991447379864932352
    - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
-tags:
-    - attack.defense_evasion
-    - attack.t1218
 date: 2020/10/13
-modified: 2022/01/13
+modified: 2022/03/26
 author: oscd.community, Natalia Shornikova
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -25,3 +22,6 @@ detection:
 falsepositives: 
 - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1218
@@ -3,16 +3,13 @@ id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
 description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
 status: experimental
 date: 2019/09/12
-modified: 2022/02/01
+modified: 2022/03/26
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
-    - attack.defense_evasion
-    - attack.t1112
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
    - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -23,3 +20,6 @@ detection:
 falsepositives:
    - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1112
@@ -5,11 +5,12 @@ description: |
  Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
 author: frack113
 date: 2021/12/30
+modified: 2022/03/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection:
@@ -24,6 +24,9 @@ logsources:
  windows-category-registry_event:
    product: windows
    category: registry_event
+  windows-category-registry_set:
+    product: windows
+    category: registry_set
  windows-category-process_access:
    product: windows
    category: process_access
@@ -39,6 +39,15 @@ logsources:
        rewrite:
            product: windows
            service: sysmon
+    registry_set:
+        category: registry_set
+        product: windows
+        conditions:
+            eventType: 
+                - Win-Sysmon-13-Registry-*
+        rewrite:
+            product: windows
+            service: sysmon
    file_creation:
        category: file_event
        product: windows
@@ -118,6 +118,15 @@ logsources:
        rewrite:
            product: windows
            service: sysmon
+    registry_set:
+        category: registry_event
+        product: windows
+        conditions:
+            EventID: 
+                - 13 
+        rewrite:
+            product: windows
+            service: sysmon
    create_stream_hash:
        category: create_stream_hash
        product: windows
@@ -20,6 +20,16 @@ logsources:
        rewrite:
            product: windows
            service: security
+    registry_event:
+        category: registry_set
+        product: windows
+        conditions:
+            EventID: 4657
+            OperationType:
+                - 'Existing registry value modified'
+        rewrite:
+            product: windows
+            service: security
 fieldmappings:
    Image: NewProcessName
    ParentImage: ParentProcessName
@@ -383,6 +383,11 @@ logsources:
      - 12
      - 13
      - 14
+ windows-registry-set:
+   product: windows
+   category: registry_event
+   conditions:
+     vendor_id: 13
 qflow:
   product: qflow
 netflow:
@@ -129,6 +129,14 @@ logsources:
    rewrite:
      product: windows
      service: sysmon
+   registry_event4:
+    category: registry_set
+    product: windows
+    conditions:
+      EventID: 13
+    rewrite:
+      product: windows
+      service: sysmon     
  create_stream_hash:
    category: create_stream_hash
    product: windows