From e2fbbb319d45766a29fa784b0cd63a19e11e94b8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 26 Mar 2022 10:55:05 +0100 Subject: [PATCH] Categorie registry_set --- ...ing_windows_telemetry_for_persistence.yml} | 16 ++++++++-------- ....yml => registry_set_add_port_monitor.yml} | 4 ++-- ...et_asep_reg_keys_modification_classes.yml} | 4 ++-- ...set_asep_reg_keys_modification_common.yml} | 4 ++-- ...g_keys_modification_currentcontrolset.yml} | 4 ++-- ..._reg_keys_modification_currentversion.yml} | 4 ++-- ...g_keys_modification_currentversion_nt.yml} | 4 ++-- ...g_keys_modification_internet_explorer.yml} | 4 ++-- ...set_asep_reg_keys_modification_office.yml} | 4 ++-- ...reg_keys_modification_session_manager.yml} | 4 ++-- ..._reg_keys_modification_system_scripts.yml} | 5 ++--- ...t_asep_reg_keys_modification_winsock2.yml} | 4 ++-- ...sep_reg_keys_modification_wow6432node.yml} | 4 ++-- ...keys_modification_wow6432node_classes.yml} | 4 ++-- ...dification_wow6432node_currentversion.yml} | 4 ++-- ... => registry_set_blackbyte_ransomware.yml} | 3 ++- ..._set_bypass_uac_using_delegateexecute.yml} | 3 ++- ...stry_set_bypass_uac_using_eventviewer.yml} | 3 ++- ...t_bypass_uac_using_silentcleanup_task.yml} | 3 ++- ...t.yml => registry_set_change_rdp_port.yml} | 3 ++- ...=> registry_set_change_security_zones.yml} | 3 ++- ....yml => registry_set_chrome_extension.yml} | 3 ++- ...try_set_cobaltstrike_service_installs.yml} | 19 ++++++++++--------- ...yml => registry_set_defender_disabled.yml} | 12 ++++++------ ...l => registry_set_defender_exclusions.yml} | 12 ++++++------ ...defender_realtime_protection_disabled.yml} | 11 ++++++----- ...stry_set_disable_administrative_share.yml} | 3 ++- ...egistry_set_disable_defender_firewall.yml} | 3 ++- ...=> registry_set_disable_fonction_user.yml} | 3 ++- ...le_microsoft_office_security_features.yml} | 10 +++++----- ... => registry_set_disable_uac_registry.yml} | 3 ++- ...t_guard_net_protection_on_ms_defender.yml} | 9 +++++---- ..._pua_protection_on_microsoft_defender.yml} | 9 +++++---- ...mper_protection_on_microsoft_defender.yml} | 9 +++++---- ...> registry_set_dns_over_https_enabled.yml} | 4 ++-- ...bled.yml => registry_set_etw_disabled.yml} | 4 ++-- ...registry_set_file_association_exefile.yml} | 7 ++++--- ....yml => registry_set_hidden_extention.yml} | 3 ++- ...ml => registry_set_hide_fonction_user.yml} | 3 ++- ...ce.yml => registry_set_ie_persistence.yml} | 4 ++-- ...adwind.yml => registry_set_mal_adwind.yml} | 4 ++-- ...yml => registry_set_office_enable_dde.yml} | 3 ++- ... registry_set_office_vsto_persistence.yml} | 12 ++++++------ ... registry_set_outlook_c2_registry_key.yml} | 16 ++++++++-------- ...gistry_set_outlook_registry_todaypage.yml} | 10 +++++----- ....yml => registry_set_outlook_security.yml} | 3 ++- ...registry_set_persistence_search_order.yml} | 10 +++++----- ...=> registry_set_powershell_as_service.yml} | 10 +++++----- ...> registry_set_powershell_in_run_keys.yml} | 4 ++-- ...egistry_set_rdp_registry_modification.yml} | 4 ++-- ...l => registry_set_set_nopolicies_user.yml} | 3 ++- ...ll.yml => registry_set_set_servicedll.yml} | 3 ++- ...gistry_set_shim_databases_persistence.yml} | 3 ++- ...yml => registry_set_silentprocessexit.yml} | 12 ++++++------ ...l => registry_set_susp_printer_driver.yml} | 4 ++-- ...try_set_susp_reg_persist_explorer_run.yml} | 4 ++-- ... registry_set_susp_run_key_img_folder.yml} | 4 ++-- ...> registry_set_susp_service_installed.yml} | 4 ++-- ...y_set_suspicious_keyboard_layout_load.yml} | 4 ++-- ...y.yml => registry_set_taskcache_entry.yml} | 14 +++++++------- ...=> registry_set_telemetry_persistence.yml} | 4 ++-- ...yml => registry_set_uac_bypass_winsat.yml} | 12 ++++++------ ...mp.yml => registry_set_uac_bypass_wmp.yml} | 12 ++++++------ ...ml => registry_set_vbs_payload_stored.yml} | 4 ++-- ...> registry_set_wab_dllpath_reg_change.yml} | 10 +++++----- ...set_wdigest_enable_uselogoncredential.yml} | 10 +++++----- ...l => registry_set_winlogon_notify_key.yml} | 3 ++- tools/config/devo-windows.yml | 3 +++ tools/config/fortisiem-windows.yml | 9 +++++++++ tools/config/generic/sysmon.yml | 9 +++++++++ tools/config/generic/windows-audit.yml | 10 ++++++++++ tools/config/hawk.yml | 5 +++++ tools/config/thor.yml | 8 ++++++++ 73 files changed, 260 insertions(+), 192 deletions(-) rename rules/windows/registry_set/{registry_event_abusing_windows_telemetry_for_persistence.yml => registry_set_abusing_windows_telemetry_for_persistence.yml} (94%) rename rules/windows/registry_set/{registry_event_add_port_monitor.yml => registry_set_add_port_monitor.yml} (94%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_classes.yml => registry_set_asep_reg_keys_modification_classes.yml} (97%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_common.yml => registry_set_asep_reg_keys_modification_common.yml} (98%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_currentcontrolset.yml => registry_set_asep_reg_keys_modification_currentcontrolset.yml} (97%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_currentversion.yml => registry_set_asep_reg_keys_modification_currentversion.yml} (99%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_currentversion_nt.yml => registry_set_asep_reg_keys_modification_currentversion_nt.yml} (98%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_internet_explorer.yml => registry_set_asep_reg_keys_modification_internet_explorer.yml} (97%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_office.yml => registry_set_asep_reg_keys_modification_office.yml} (98%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_session_manager.yml => registry_set_asep_reg_keys_modification_session_manager.yml} (96%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_system_scripts.yml => registry_set_asep_reg_keys_modification_system_scripts.yml} (96%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_winsock2.yml => registry_set_asep_reg_keys_modification_winsock2.yml} (97%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_wow6432node.yml => registry_set_asep_reg_keys_modification_wow6432node.yml} (98%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_wow6432node_classes.yml => registry_set_asep_reg_keys_modification_wow6432node_classes.yml} (97%) rename rules/windows/registry_set/{registry_event_asep_reg_keys_modification_wow6432node_currentversion.yml => registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml} (97%) rename rules/windows/registry_set/{registry_event_blackbyte_ransomware.yml => registry_set_blackbyte_ransomware.yml} (95%) rename rules/windows/registry_set/{registry_event_bypass_uac_using_delegateexecute.yml => registry_set_bypass_uac_using_delegateexecute.yml} (94%) rename rules/windows/registry_set/{registry_event_bypass_uac_using_eventviewer.yml => registry_set_bypass_uac_using_eventviewer.yml} (94%) rename rules/windows/registry_set/{registry_event_bypass_uac_using_silentcleanup_task.yml => registry_set_bypass_uac_using_silentcleanup_task.yml} (92%) rename rules/windows/registry_set/{registry_event_change_rdp_port.yml => registry_set_change_rdp_port.yml} (95%) rename rules/windows/registry_set/{registry_event_change_security_zones.yml => registry_set_change_security_zones.yml} (95%) rename rules/windows/registry_set/{registry_event_chrome_extension.yml => registry_set_chrome_extension.yml} (99%) rename rules/windows/registry_set/{registry_event_cobaltstrike_service_installs.yml => registry_set_cobaltstrike_service_installs.yml} (94%) rename rules/windows/registry_set/{registry_event_defender_disabled.yml => registry_set_defender_disabled.yml} (94%) rename rules/windows/registry_set/{registry_event_defender_exclusions.yml => registry_set_defender_exclusions.yml} (88%) rename rules/windows/registry_set/{registry_event_defender_realtime_protection_disabled.yml => registry_set_defender_realtime_protection_disabled.yml} (95%) rename rules/windows/registry_set/{registry_event_disable_administrative_share.yml => registry_set_disable_administrative_share.yml} (95%) rename rules/windows/registry_set/{registry_event_disable_defender_firewall.yml => registry_set_disable_defender_firewall.yml} (96%) rename rules/windows/registry_set/{registry_event_disable_fonction_user.yml => registry_set_disable_fonction_user.yml} (96%) rename rules/windows/registry_set/{registry_event_disable_microsoft_office_security_features.yml => registry_set_disable_microsoft_office_security_features.yml} (95%) rename rules/windows/registry_set/{registry_event_disable_uac_registry.yml => registry_set_disable_uac_registry.yml} (94%) rename rules/windows/registry_set/{registry_event_disabled_exploit_guard_net_protection_on_ms_defender.yml => registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml} (91%) rename rules/windows/registry_set/{registry_event_disabled_pua_protection_on_microsoft_defender.yml => registry_set_disabled_pua_protection_on_microsoft_defender.yml} (90%) rename rules/windows/registry_set/{registry_event_disabled_tamper_protection_on_microsoft_defender.yml => registry_set_disabled_tamper_protection_on_microsoft_defender.yml} (90%) rename rules/windows/registry_set/{registry_event_dns_over_https_enabled.yml => registry_set_dns_over_https_enabled.yml} (95%) rename rules/windows/registry_set/{registry_event_etw_disabled.yml => registry_set_etw_disabled.yml} (97%) rename rules/windows/registry_set/{registry_event_file_association_exefile.yml => registry_set_file_association_exefile.yml} (88%) rename rules/windows/registry_set/{registry_event_hidden_extention.yml => registry_set_hidden_extention.yml} (95%) rename rules/windows/registry_set/{registry_event_hide_fonction_user.yml => registry_set_hide_fonction_user.yml} (96%) rename rules/windows/registry_set/{registry_event_ie_persistence.yml => registry_set_ie_persistence.yml} (95%) rename rules/windows/registry_set/{registry_event_mal_adwind.yml => registry_set_mal_adwind.yml} (92%) rename rules/windows/registry_set/{registry_event_office_enable_dde.yml => registry_set_office_enable_dde.yml} (95%) rename rules/windows/registry_set/{registry_event_office_vsto_persistence.yml => registry_set_office_vsto_persistence.yml} (93%) rename rules/windows/registry_set/{registry_event_outlook_c2_registry_key.yml => registry_set_outlook_c2_registry_key.yml} (92%) rename rules/windows/registry_set/{registry_event_outlook_registry_todaypage.yml => registry_set_outlook_registry_todaypage.yml} (94%) rename rules/windows/registry_set/{registry_event_outlook_security.yml => registry_set_outlook_security.yml} (93%) rename rules/windows/registry_set/{registry_event_persistence_search_order.yml => registry_set_persistence_search_order.yml} (97%) rename rules/windows/registry_set/{registry_event_powershell_as_service.yml => registry_set_powershell_as_service.yml} (90%) rename rules/windows/registry_set/{registry_event_powershell_in_run_keys.yml => registry_set_powershell_in_run_keys.yml} (95%) rename rules/windows/registry_set/{registry_event_rdp_registry_modification.yml => registry_set_rdp_registry_modification.yml} (94%) rename rules/windows/registry_set/{registry_event_set_nopolicies_user.yml => registry_set_set_nopolicies_user.yml} (97%) rename rules/windows/registry_set/{registry_event_set_servicedll.yml => registry_set_set_servicedll.yml} (94%) rename rules/windows/registry_set/{registry_event_shim_databases_persistence.yml => registry_set_shim_databases_persistence.yml} (94%) rename rules/windows/registry_set/{registry_event_silentprocessexit.yml => registry_set_silentprocessexit.yml} (90%) rename rules/windows/registry_set/{registry_event_susp_printer_driver.yml => registry_set_susp_printer_driver.yml} (94%) rename rules/windows/registry_set/{registry_event_susp_reg_persist_explorer_run.yml => registry_set_susp_reg_persist_explorer_run.yml} (95%) rename rules/windows/registry_set/{registry_event_susp_run_key_img_folder.yml => registry_set_susp_run_key_img_folder.yml} (94%) rename rules/windows/registry_set/{registry_event_susp_service_installed.yml => registry_set_susp_service_installed.yml} (96%) rename rules/windows/registry_set/{registry_event_suspicious_keyboard_layout_load.yml => registry_set_suspicious_keyboard_layout_load.yml} (96%) rename rules/windows/registry_set/{registry_event_taskcache_entry.yml => registry_set_taskcache_entry.yml} (97%) rename rules/windows/registry_set/{registry_event_telemetry_persistence.yml => registry_set_telemetry_persistence.yml} (95%) rename rules/windows/registry_set/{registry_event_uac_bypass_winsat.yml => registry_set_uac_bypass_winsat.yml} (91%) rename rules/windows/registry_set/{registry_event_uac_bypass_wmp.yml => registry_set_uac_bypass_wmp.yml} (90%) rename rules/windows/registry_set/{registry_event_vbs_payload_stored.yml => registry_set_vbs_payload_stored.yml} (96%) rename rules/windows/registry_set/{registry_event_wab_dllpath_reg_change.yml => registry_set_wab_dllpath_reg_change.yml} (92%) rename rules/windows/registry_set/{registry_event_wdigest_enable_uselogoncredential.yml => registry_set_wdigest_enable_uselogoncredential.yml} (93%) rename rules/windows/registry_set/{registry_event_winlogon_notify_key.yml => registry_set_winlogon_notify_key.yml} (92%) diff --git a/rules/windows/registry_set/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml similarity index 94% rename from rules/windows/registry_set/registry_event_abusing_windows_telemetry_for_persistence.yml rename to rules/windows/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml index 282552a87..f6b74bfaa 100644 --- a/rules/windows/registry_set/registry_event_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml @@ -4,14 +4,9 @@ status: experimental description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1112 - - attack.t1053 author: Sreeman date: 2020/09/29 -modified: 2022/01/13 +modified: 2022/03/26 fields: - EventID - CommandLine @@ -19,7 +14,7 @@ fields: - Details logsource: product: windows - category: registry_event + category: registry_set detection: selection: EventType: SetValue @@ -41,4 +36,9 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 + - attack.t1053 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_add_port_monitor.yml b/rules/windows/registry_set/registry_set_add_port_monitor.yml similarity index 94% rename from rules/windows/registry_set/registry_event_add_port_monitor.yml rename to rules/windows/registry_set/registry_set_add_port_monitor.yml index c7c1eb1b6..511d9460a 100644 --- a/rules/windows/registry_set/registry_event_add_port_monitor.yml +++ b/rules/windows/registry_set/registry_set_add_port_monitor.yml @@ -5,12 +5,12 @@ description: | A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. author: frack113 date: 2021/12/30 -modified: 2022/02/09 +modified: 2022/03/269 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_classes.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_classes.yml similarity index 97% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_classes.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_classes.yml index 0e8004b75..430cacbdc 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/02/16 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_sett product: windows detection: classes_base: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_common.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_common.yml similarity index 98% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_common.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_common.yml index 7cc36d92f..f6fffa858 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/05 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: main_selection: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml similarity index 97% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_currentcontrolset.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 7746cb0aa..5c5f015a3 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/02/16 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: system_control_base: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml similarity index 99% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_currentversion.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 366ae4f66..4b5ea7b5a 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/03 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: current_version_base: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml similarity index 98% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_currentversion_nt.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index 00fc13761..32574d62c 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/03 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: nt_current_version_base: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml similarity index 97% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_internet_explorer.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index de2b7fa0f..eb96b030e 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/02/16 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: ie: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_office.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_office.yml similarity index 98% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_office.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_office.yml index cc1b91664..0ccfbc260 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/03 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: office: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml similarity index 96% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_session_manager.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 7ccafcdcc..f9d477020 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: session_manager_base: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml similarity index 96% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_system_scripts.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index 41cbd4739..8a6dbe62a 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: scripts_base: @@ -25,7 +25,6 @@ detection: - '\Shutdown' - '\Logon' - '\Logoff' - filter: Details: '(Empty)' condition: scripts_base and scripts and not filter diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml similarity index 97% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_winsock2.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index 2df6356c5..9ff603c91 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/02/16 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: winsock_parameters_base: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml similarity index 98% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_wow6432node.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 35fc7f36d..f57f6345e 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/05 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: wow_current_version_base: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml similarity index 97% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_wow6432node_classes.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index 41cc28651..ff31a07dd 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: wow_classes_base: diff --git a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml similarity index 97% rename from rules/windows/registry_set/registry_event_asep_reg_keys_modification_wow6432node_currentversion.yml rename to rules/windows/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 46559a9e1..79ada3f0e 100644 --- a/rules/windows/registry_set/registry_event_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -11,9 +11,9 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/02/16 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: wow_nt_current_version_base: diff --git a/rules/windows/registry_set/registry_event_blackbyte_ransomware.yml b/rules/windows/registry_set/registry_set_blackbyte_ransomware.yml similarity index 95% rename from rules/windows/registry_set/registry_event_blackbyte_ransomware.yml rename to rules/windows/registry_set/registry_set_blackbyte_ransomware.yml index 657fd0743..a8504a2b4 100644 --- a/rules/windows/registry_set/registry_event_blackbyte_ransomware.yml +++ b/rules/windows/registry_set/registry_set_blackbyte_ransomware.yml @@ -3,12 +3,13 @@ id: 83314318-052a-4c90-a1ad-660ece38d276 description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption author: frack113 date: 2022/01/24 +modified: 2022/03/26 status: experimental references: - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_bypass_uac_using_delegateexecute.yml b/rules/windows/registry_set/registry_set_bypass_uac_using_delegateexecute.yml similarity index 94% rename from rules/windows/registry_set/registry_event_bypass_uac_using_delegateexecute.yml rename to rules/windows/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index 0e34c1768..48980e9b0 100644 --- a/rules/windows/registry_set/registry_event_bypass_uac_using_delegateexecute.yml +++ b/rules/windows/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -3,13 +3,14 @@ id: 46dd5308-4572-4d12-aa43-8938f0184d4f description: Bypasses User Account Control using a fileless method author: frack113 date: 2022/01/05 +modified: 2022/03/26 status: experimental references: - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_bypass_uac_using_eventviewer.yml b/rules/windows/registry_set/registry_set_bypass_uac_using_eventviewer.yml similarity index 94% rename from rules/windows/registry_set/registry_event_bypass_uac_using_eventviewer.yml rename to rules/windows/registry_set/registry_set_bypass_uac_using_eventviewer.yml index 63dd85465..effa3e7b5 100644 --- a/rules/windows/registry_set/registry_event_bypass_uac_using_eventviewer.yml +++ b/rules/windows/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -3,12 +3,13 @@ id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification author: frack113 date: 2022/01/05 +modified: 2022/03/26 status: experimental references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_bypass_uac_using_silentcleanup_task.yml b/rules/windows/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml similarity index 92% rename from rules/windows/registry_set/registry_event_bypass_uac_using_silentcleanup_task.yml rename to rules/windows/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index c594a194c..4f64f24b9 100644 --- a/rules/windows/registry_set/registry_event_bypass_uac_using_silentcleanup_task.yml +++ b/rules/windows/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -3,12 +3,13 @@ id: 724ea201-6514-4f38-9739-e5973c34f49a description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC author: frack113 date: 2022/01/06 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_change_rdp_port.yml b/rules/windows/registry_set/registry_set_change_rdp_port.yml similarity index 95% rename from rules/windows/registry_set/registry_event_change_rdp_port.yml rename to rules/windows/registry_set/registry_set_change_rdp_port.yml index 6fcd42dee..b078a5993 100644 --- a/rules/windows/registry_set/registry_event_change_rdp_port.yml +++ b/rules/windows/registry_set/registry_set_change_rdp_port.yml @@ -6,11 +6,12 @@ description: | Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). author: frack113 date: 2022/01/01 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_change_security_zones.yml b/rules/windows/registry_set/registry_set_change_security_zones.yml similarity index 95% rename from rules/windows/registry_set/registry_event_change_security_zones.yml rename to rules/windows/registry_set/registry_set_change_security_zones.yml index e88bc1e50..67a307e6b 100644 --- a/rules/windows/registry_set/registry_event_change_security_zones.yml +++ b/rules/windows/registry_set/registry_set_change_security_zones.yml @@ -3,12 +3,13 @@ id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 description: Hides the file extension through modification of the registry author: frack113 date: 2022/01/22 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone - https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries logsource: - category: registry_event + category: registry_set product: windows detection: selection_domains: diff --git a/rules/windows/registry_set/registry_event_chrome_extension.yml b/rules/windows/registry_set/registry_set_chrome_extension.yml similarity index 99% rename from rules/windows/registry_set/registry_event_chrome_extension.yml rename to rules/windows/registry_set/registry_set_chrome_extension.yml index 9de42f7b9..852a13bed 100644 --- a/rules/windows/registry_set/registry_event_chrome_extension.yml +++ b/rules/windows/registry_set/registry_set_chrome_extension.yml @@ -3,11 +3,12 @@ id: b64a026b-8deb-4c1d-92fd-98893209dff1 description: Running Chrome VPN Extensions via the Registry install 2 vpn extension author: frack113 date: 2021/12/28 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension logsource: - category: registry_event + category: registry_set product: windows detection: chrome_ext: diff --git a/rules/windows/registry_set/registry_event_cobaltstrike_service_installs.yml b/rules/windows/registry_set/registry_set_cobaltstrike_service_installs.yml similarity index 94% rename from rules/windows/registry_set/registry_event_cobaltstrike_service_installs.yml rename to rules/windows/registry_set/registry_set_cobaltstrike_service_installs.yml index e21e4b644..55e9b6900 100644 --- a/rules/windows/registry_set/registry_event_cobaltstrike_service_installs.yml +++ b/rules/windows/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -5,18 +5,12 @@ description: Detects known malicious service installs that appear in cases in wh In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events. status: experimental date: 2021/06/29 +modified: 2022/03/26 author: Wojciech Lesicki -tags: - - attack.execution - - attack.privilege_escalation - - attack.lateral_movement - - attack.t1021.002 - - attack.t1543.003 - - attack.t1569.002 references: - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 logsource: - category: registry_event + category: registry_set product: windows detection: selection1: @@ -34,4 +28,11 @@ detection: condition: selection1 and (selection2 or selection3) falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical +tags: + - attack.execution + - attack.privilege_escalation + - attack.lateral_movement + - attack.t1021.002 + - attack.t1543.003 + - attack.t1569.002 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_defender_disabled.yml b/rules/windows/registry_set/registry_set_defender_disabled.yml similarity index 94% rename from rules/windows/registry_set/registry_event_defender_disabled.yml rename to rules/windows/registry_set/registry_set_defender_disabled.yml index cc6bcbd94..ac02beeae 100644 --- a/rules/windows/registry_set/registry_event_defender_disabled.yml +++ b/rules/windows/registry_set/registry_set_defender_disabled.yml @@ -5,19 +5,16 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2022/01/13 +modified: 2022/03/26 author: Ján Trenčanský, frack113, AlertIQ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ status: experimental -tags: - - attack.defense_evasion - - attack.t1562.001 logsource: product: windows - category: registry_event + category: registry_set detection: tamper_registry: EventType: SetValue @@ -35,4 +32,7 @@ detection: condition: tamper_registry or selection2 falsepositives: - Administrator actions -level: high \ No newline at end of file +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_defender_exclusions.yml b/rules/windows/registry_set/registry_set_defender_exclusions.yml similarity index 88% rename from rules/windows/registry_set/registry_event_defender_exclusions.yml rename to rules/windows/registry_set/registry_set_defender_exclusions.yml index 863ce5553..d938019a3 100644 --- a/rules/windows/registry_set/registry_event_defender_exclusions.yml +++ b/rules/windows/registry_set/registry_set_defender_exclusions.yml @@ -5,17 +5,14 @@ related: type: derived description: Detects the Setting of Windows Defender Exclusions date: 2021/07/06 -modified: 2021/09/21 +modified: 2022/03/26 author: Christian Burkard references: - https://twitter.com/_nullbind/status/1204923340810543109 status: test -tags: - - attack.defense_evasion - - attack.t1562.001 logsource: product: windows - category: registry_event + category: registry_set detection: selection2: #EventID: 13 @@ -24,4 +21,7 @@ detection: condition: selection2 falsepositives: - Administrator actions -level: medium \ No newline at end of file +level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_defender_realtime_protection_disabled.yml b/rules/windows/registry_set/registry_set_defender_realtime_protection_disabled.yml similarity index 95% rename from rules/windows/registry_set/registry_event_defender_realtime_protection_disabled.yml rename to rules/windows/registry_set/registry_set_defender_realtime_protection_disabled.yml index 2eb860fab..0385570f6 100644 --- a/rules/windows/registry_set/registry_event_defender_realtime_protection_disabled.yml +++ b/rules/windows/registry_set/registry_set_defender_realtime_protection_disabled.yml @@ -2,17 +2,15 @@ title: Windows Defender Real-Time Protection Disabled id: fd115e64-97c7-491f-951c-fc8da7e042fa description: Detects disabling Windows Defender Real-Time Protection by modifying registry date: 2021/10/18 +modified: 2022/03/26 author: AlertIQ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 status: experimental -tags: - - attack.defense_evasion - - attack.t1562.001 logsource: product: windows - category: registry_event + category: registry_set detection: tamper_registry1: EventType: SetValue @@ -33,4 +31,7 @@ detection: condition: tamper_registry1 or tamper_registry2 falsepositives: - Administrator actions -level: high \ No newline at end of file +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_disable_administrative_share.yml b/rules/windows/registry_set/registry_set_disable_administrative_share.yml similarity index 95% rename from rules/windows/registry_set/registry_event_disable_administrative_share.yml rename to rules/windows/registry_set/registry_set_disable_administrative_share.yml index 3a0ad3943..4f8419f9e 100644 --- a/rules/windows/registry_set/registry_event_disable_administrative_share.yml +++ b/rules/windows/registry_set/registry_set_disable_administrative_share.yml @@ -3,11 +3,12 @@ id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e description: Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system author: frack113 date: 2022/01/16 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_disable_defender_firewall.yml b/rules/windows/registry_set/registry_set_disable_defender_firewall.yml similarity index 96% rename from rules/windows/registry_set/registry_event_disable_defender_firewall.yml rename to rules/windows/registry_set/registry_set_disable_defender_firewall.yml index 522cd2799..bfc3a8703 100644 --- a/rules/windows/registry_set/registry_event_disable_defender_firewall.yml +++ b/rules/windows/registry_set/registry_set_disable_defender_firewall.yml @@ -3,11 +3,12 @@ id: 974515da-6cc5-4c95-ae65-f97f9150ec7f description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage author: frack113 date: 2022/01/09 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_disable_fonction_user.yml b/rules/windows/registry_set/registry_set_disable_fonction_user.yml similarity index 96% rename from rules/windows/registry_set/registry_event_disable_fonction_user.yml rename to rules/windows/registry_set/registry_set_disable_fonction_user.yml index 651e61744..fb26e12b4 100644 --- a/rules/windows/registry_set/registry_event_disable_fonction_user.yml +++ b/rules/windows/registry_set/registry_set_disable_fonction_user.yml @@ -6,8 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md author: frack113 date: 2022/03/18 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection_set_1: diff --git a/rules/windows/registry_set/registry_event_disable_microsoft_office_security_features.yml b/rules/windows/registry_set/registry_set_disable_microsoft_office_security_features.yml similarity index 95% rename from rules/windows/registry_set/registry_event_disable_microsoft_office_security_features.yml rename to rules/windows/registry_set/registry_set_disable_microsoft_office_security_features.yml index 7cacb2c85..6b6ef0791 100644 --- a/rules/windows/registry_set/registry_event_disable_microsoft_office_security_features.yml +++ b/rules/windows/registry_set/registry_set_disable_microsoft_office_security_features.yml @@ -3,18 +3,15 @@ id: 7c637634-c95d-4bbf-b26c-a82510874b34 description: Disable Microsoft Office Security Features by registry status: experimental date: 2021/06/08 +modified: 2022/03/26 author: frack113 -tags: - - attack.defense_evasion - - attack.t1562.001 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ - logsource: product: windows - category: registry_event + category: registry_set definition: key must be add to the sysmon configuration to works # Sysmon # \VBAWarnings @@ -35,3 +32,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_disable_uac_registry.yml b/rules/windows/registry_set/registry_set_disable_uac_registry.yml similarity index 94% rename from rules/windows/registry_set/registry_event_disable_uac_registry.yml rename to rules/windows/registry_set/registry_set_disable_uac_registry.yml index 8487e238d..27b4729cb 100644 --- a/rules/windows/registry_set/registry_event_disable_uac_registry.yml +++ b/rules/windows/registry_set/registry_set_disable_uac_registry.yml @@ -3,11 +3,12 @@ id: 48437c39-9e5f-47fb-af95-3d663c3f2919 description: Disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 author: frack113 date: 2022/01/05 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_disabled_exploit_guard_net_protection_on_ms_defender.yml b/rules/windows/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml similarity index 91% rename from rules/windows/registry_set/registry_event_disabled_exploit_guard_net_protection_on_ms_defender.yml rename to rules/windows/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index 05d717519..6650516d9 100644 --- a/rules/windows/registry_set/registry_event_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/rules/windows/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -3,14 +3,12 @@ id: bf9e1387-b040-4393-9851-1598f8ecfae9 description: Detects disabling Windows Defender Exploit Guard Network Protection status: experimental date: 2021/08/04 +modified: 2022/03/26 author: Austin Songer @austinsonger references: - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html -tags: - - attack.defense_evasion - - attack.t1562.001 logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -21,3 +19,6 @@ detection: falsepositives: - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml similarity index 90% rename from rules/windows/registry_set/registry_event_disabled_pua_protection_on_microsoft_defender.yml rename to rules/windows/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index f0ad69f89..f002205d6 100644 --- a/rules/windows/registry_set/registry_event_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -3,14 +3,12 @@ id: 8ffc5407-52e3-478f-9596-0a7371eafe13 description: Detects disabling Windows Defender PUA protection status: experimental date: 2021/08/04 +modified: 2022/03/26 author: Austin Songer @austinsonger references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html -tags: - - attack.defense_evasion - - attack.t1562.001 logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -21,3 +19,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml similarity index 90% rename from rules/windows/registry_set/registry_event_disabled_tamper_protection_on_microsoft_defender.yml rename to rules/windows/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index 5b8a2d006..776551c21 100644 --- a/rules/windows/registry_set/registry_event_disabled_tamper_protection_on_microsoft_defender.yml +++ b/rules/windows/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -3,14 +3,12 @@ id: 93d298a1-d28f-47f1-a468-d971e7796679 description: Detects disabling Windows Defender Tamper Protection status: experimental date: 2021/08/04 +modified: 2022/03/26 author: Austin Songer @austinsonger references: - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html -tags: - - attack.defense_evasion - - attack.t1562.001 logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -21,3 +19,6 @@ detection: falsepositives: - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_dns_over_https_enabled.yml b/rules/windows/registry_set/registry_set_dns_over_https_enabled.yml similarity index 95% rename from rules/windows/registry_set/registry_event_dns_over_https_enabled.yml rename to rules/windows/registry_set/registry_set_dns_over_https_enabled.yml index 55b34be14..d1875bf2a 100644 --- a/rules/windows/registry_set/registry_event_dns_over_https_enabled.yml +++ b/rules/windows/registry_set/registry_set_dns_over_https_enabled.yml @@ -9,10 +9,10 @@ references: - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS date: 2021/07/22 -modified: 2022/01/13 +modified: 2022/03/26 logsource: product: windows - category: registry_event + category: registry_set detection: selection_edge: EventType: SetValue diff --git a/rules/windows/registry_set/registry_event_etw_disabled.yml b/rules/windows/registry_set/registry_set_etw_disabled.yml similarity index 97% rename from rules/windows/registry_set/registry_event_etw_disabled.yml rename to rules/windows/registry_set/registry_set_etw_disabled.yml index a28b1099b..2c2769047 100644 --- a/rules/windows/registry_set/registry_event_etw_disabled.yml +++ b/rules/windows/registry_set/registry_set_etw_disabled.yml @@ -14,10 +14,10 @@ references: - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code date: 2020/06/05 -modified: 2022/01/13 +modified: 2022/03/26 logsource: product: windows - category: registry_event + category: registry_set detection: selection: EventType: SetValue diff --git a/rules/windows/registry_set/registry_event_file_association_exefile.yml b/rules/windows/registry_set/registry_set_file_association_exefile.yml similarity index 88% rename from rules/windows/registry_set/registry_event_file_association_exefile.yml rename to rules/windows/registry_set/registry_set_file_association_exefile.yml index 21f066f40..09fff0992 100644 --- a/rules/windows/registry_set/registry_event_file_association_exefile.yml +++ b/rules/windows/registry_set/registry_set_file_association_exefile.yml @@ -3,13 +3,12 @@ id: 44a22d59-b175-4f13-8c16-cbaef5b581ff description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products. author: Andreas Hunkeler (@Karneades) date: 2021/11/19 +modified: 2022/03/26 status: experimental references: - https://twitter.com/mrd0x/status/1461041276514623491 -tags: - - attack.defense_evasion logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -20,3 +19,5 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_hidden_extention.yml b/rules/windows/registry_set/registry_set_hidden_extention.yml similarity index 95% rename from rules/windows/registry_set/registry_event_hidden_extention.yml rename to rules/windows/registry_set/registry_set_hidden_extention.yml index f24c17591..1cbf33f9d 100644 --- a/rules/windows/registry_set/registry_event_hidden_extention.yml +++ b/rules/windows/registry_set/registry_set_hidden_extention.yml @@ -3,13 +3,14 @@ id: 5df86130-4e95-4a54-90f7-26541b40aec2 description: Hides the file extension through modification of the registry author: frack113 date: 2022/01/22 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd - https://unit42.paloaltonetworks.com/ransomware-families/ - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A logsource: - category: registry_event + category: registry_set product: windows detection: selection_HideFileExt: diff --git a/rules/windows/registry_set/registry_event_hide_fonction_user.yml b/rules/windows/registry_set/registry_set_hide_fonction_user.yml similarity index 96% rename from rules/windows/registry_set/registry_event_hide_fonction_user.yml rename to rules/windows/registry_set/registry_set_hide_fonction_user.yml index d315f2bfd..e8821183c 100644 --- a/rules/windows/registry_set/registry_event_hide_fonction_user.yml +++ b/rules/windows/registry_set/registry_set_hide_fonction_user.yml @@ -6,8 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md author: frack113 date: 2022/03/18 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection_set_1: diff --git a/rules/windows/registry_set/registry_event_ie_persistence.yml b/rules/windows/registry_set/registry_set_ie_persistence.yml similarity index 95% rename from rules/windows/registry_set/registry_event_ie_persistence.yml rename to rules/windows/registry_set/registry_set_ie_persistence.yml index 70e6f6566..6b80b1a7e 100644 --- a/rules/windows/registry_set/registry_event_ie_persistence.yml +++ b/rules/windows/registry_set/registry_set_ie_persistence.yml @@ -3,12 +3,12 @@ id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 description: Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings author: frack113 date: 2022/01/22 -modified: 2022/03/25 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry logsource: - category: registry_event + category: registry_set product: windows detection: selection_domains: diff --git a/rules/windows/registry_set/registry_event_mal_adwind.yml b/rules/windows/registry_set/registry_set_mal_adwind.yml similarity index 92% rename from rules/windows/registry_set/registry_event_mal_adwind.yml rename to rules/windows/registry_set/registry_set_mal_adwind.yml index 7c4060d17..4161d789c 100644 --- a/rules/windows/registry_set/registry_event_mal_adwind.yml +++ b/rules/windows/registry_set/registry_set_mal_adwind.yml @@ -10,9 +10,9 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2022/01/13 +modified: 2022/003/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_office_enable_dde.yml b/rules/windows/registry_set/registry_set_office_enable_dde.yml similarity index 95% rename from rules/windows/registry_set/registry_event_office_enable_dde.yml rename to rules/windows/registry_set/registry_set_office_enable_dde.yml index 4c4d09642..6413434c0 100644 --- a/rules/windows/registry_set/registry_event_office_enable_dde.yml +++ b/rules/windows/registry_set/registry_set_office_enable_dde.yml @@ -3,11 +3,12 @@ id: 63647769-326d-4dde-a419-b925cc0caf42 description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. author: frack113 date: 2022/02/26 +modified: 2022/03/26 status: experimental references: - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 logsource: - category: registry_event + category: registry_set product: windows detection: selection_word: diff --git a/rules/windows/registry_set/registry_event_office_vsto_persistence.yml b/rules/windows/registry_set/registry_set_office_vsto_persistence.yml similarity index 93% rename from rules/windows/registry_set/registry_event_office_vsto_persistence.yml rename to rules/windows/registry_set/registry_set_office_vsto_persistence.yml index 148e86372..9f2d1fe8a 100644 --- a/rules/windows/registry_set/registry_event_office_vsto_persistence.yml +++ b/rules/windows/registry_set/registry_set_office_vsto_persistence.yml @@ -5,14 +5,11 @@ description: Detects persistence via Visual Studio Tools for Office (VSTO) add-i references: - https://twitter.com/_vivami/status/1347925307643355138 - https://vanmieghem.io/stealth-outlook-persistence/ -tags: - - attack.t1137.006 - - attack.persistence author: Bhabesh Raj date: 2021/01/10 -modified: 2022/02/09 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -36,4 +33,7 @@ detection: condition: selection and not 1 of filter_* falsepositives: - Legitimate Addin Installation -level: medium \ No newline at end of file +level: medium +tags: + - attack.t1137.006 + - attack.persistence \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_outlook_c2_registry_key.yml b/rules/windows/registry_set/registry_set_outlook_c2_registry_key.yml similarity index 92% rename from rules/windows/registry_set/registry_event_outlook_c2_registry_key.yml rename to rules/windows/registry_set/registry_set_outlook_c2_registry_key.yml index a6b8a353b..b4be180c9 100644 --- a/rules/windows/registry_set/registry_event_outlook_c2_registry_key.yml +++ b/rules/windows/registry_set/registry_set_outlook_c2_registry_key.yml @@ -5,16 +5,10 @@ description: Detects the modification of Outlook Security Setting to allow unpro references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ author: '@ScoubiMtl' -tags: - - attack.persistence - - attack.command_and_control - - attack.t1137 - - attack.t1008 - - attack.t1546 date: 2021/04/05 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection_registry: @@ -25,3 +19,9 @@ detection: falsepositives: - Unlikely level: medium +tags: + - attack.persistence + - attack.command_and_control + - attack.t1137 + - attack.t1008 + - attack.t1546 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_outlook_registry_todaypage.yml b/rules/windows/registry_set/registry_set_outlook_registry_todaypage.yml similarity index 94% rename from rules/windows/registry_set/registry_event_outlook_registry_todaypage.yml rename to rules/windows/registry_set/registry_set_outlook_registry_todaypage.yml index a98f749d3..5a64c64f4 100644 --- a/rules/windows/registry_set/registry_event_outlook_registry_todaypage.yml +++ b/rules/windows/registry_set/registry_set_outlook_registry_todaypage.yml @@ -6,13 +6,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 author: Tobias Michalski date: 2021/06/10 -modified: 2022/03/05 -tags: - - attack.persistence - - attack.t1112 +modified: 2022/03/26 logsource: product: windows - category: registry_event + category: registry_set detection: selection1: TargetObject|contains: @@ -35,3 +32,6 @@ fields: falsepositives: - Unknown level: high +tags: + - attack.persistence + - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_outlook_security.yml b/rules/windows/registry_set/registry_set_outlook_security.yml similarity index 93% rename from rules/windows/registry_set/registry_event_outlook_security.yml rename to rules/windows/registry_set/registry_set_outlook_security.yml index 69941cbea..4fee4fa05 100644 --- a/rules/windows/registry_set/registry_event_outlook_security.yml +++ b/rules/windows/registry_set/registry_set_outlook_security.yml @@ -3,12 +3,13 @@ id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a description: Change outlook email security settings author: frack113 date: 2021/12/28 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md - https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_persistence_search_order.yml b/rules/windows/registry_set/registry_set_persistence_search_order.yml similarity index 97% rename from rules/windows/registry_set/registry_event_persistence_search_order.yml rename to rules/windows/registry_set/registry_set_persistence_search_order.yml index 791d70510..f3724cc84 100644 --- a/rules/windows/registry_set/registry_event_persistence_search_order.yml +++ b/rules/windows/registry_set/registry_set_persistence_search_order.yml @@ -7,12 +7,9 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/03/05 -tags: - - attack.persistence - - attack.t1546.015 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: # Detect new COM servers in the user hive @@ -75,3 +72,6 @@ detection: falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level level: medium +tags: + - attack.persistence + - attack.t1546.015 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_powershell_as_service.yml b/rules/windows/registry_set/registry_set_powershell_as_service.yml similarity index 90% rename from rules/windows/registry_set/registry_event_powershell_as_service.yml rename to rules/windows/registry_set/registry_set_powershell_as_service.yml index 2da308f2c..c78cb893c 100644 --- a/rules/windows/registry_set/registry_event_powershell_as_service.yml +++ b/rules/windows/registry_set/registry_set_powershell_as_service.yml @@ -4,14 +4,11 @@ description: Detects that a powershell code is written to the registry as a serv status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2022/01/13 +modified: 2022/03/26 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -tags: - - attack.execution - - attack.t1569.002 logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -25,3 +22,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.execution + - attack.t1569.002 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_powershell_in_run_keys.yml b/rules/windows/registry_set/registry_set_powershell_in_run_keys.yml similarity index 95% rename from rules/windows/registry_set/registry_event_powershell_in_run_keys.yml rename to rules/windows/registry_set/registry_set_powershell_in_run_keys.yml index 96870cf7f..548685764 100644 --- a/rules/windows/registry_set/registry_event_powershell_in_run_keys.yml +++ b/rules/windows/registry_set/registry_set_powershell_in_run_keys.yml @@ -6,9 +6,9 @@ references: - https://github.com/frack113/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry author: frack113, Florian Roth date: 2022/03/17 -modified: 2022/03/18 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_rdp_registry_modification.yml b/rules/windows/registry_set/registry_set_rdp_registry_modification.yml similarity index 94% rename from rules/windows/registry_set/registry_event_rdp_registry_modification.yml rename to rules/windows/registry_set/registry_set_rdp_registry_modification.yml index b95d8e580..3b0815014 100755 --- a/rules/windows/registry_set/registry_event_rdp_registry_modification.yml +++ b/rules/windows/registry_set/registry_set_rdp_registry_modification.yml @@ -6,9 +6,9 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html date: 2019/09/12 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_set_nopolicies_user.yml b/rules/windows/registry_set/registry_set_set_nopolicies_user.yml similarity index 97% rename from rules/windows/registry_set/registry_event_set_nopolicies_user.yml rename to rules/windows/registry_set/registry_set_set_nopolicies_user.yml index 181d00e27..41ec6e700 100644 --- a/rules/windows/registry_set/registry_event_set_nopolicies_user.yml +++ b/rules/windows/registry_set/registry_set_set_nopolicies_user.yml @@ -6,8 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md author: frack113 date: 2022/03/18 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection_set_1: diff --git a/rules/windows/registry_set/registry_event_set_servicedll.yml b/rules/windows/registry_set/registry_set_set_servicedll.yml similarity index 94% rename from rules/windows/registry_set/registry_event_set_servicedll.yml rename to rules/windows/registry_set/registry_set_set_servicedll.yml index 4c56b6b3d..a215afdad 100644 --- a/rules/windows/registry_set/registry_event_set_servicedll.yml +++ b/rules/windows/registry_set/registry_set_set_servicedll.yml @@ -3,11 +3,12 @@ id: 612e47e9-8a59-43a6-b404-f48683f45bd6 description: Detects the modification of a ServiceDLL value in the service settings author: frack113 date: 2022/02/04 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_shim_databases_persistence.yml b/rules/windows/registry_set/registry_set_shim_databases_persistence.yml similarity index 94% rename from rules/windows/registry_set/registry_event_shim_databases_persistence.yml rename to rules/windows/registry_set/registry_set_shim_databases_persistence.yml index 1b3aeba7f..92260f1e8 100644 --- a/rules/windows/registry_set/registry_event_shim_databases_persistence.yml +++ b/rules/windows/registry_set/registry_set_shim_databases_persistence.yml @@ -5,12 +5,13 @@ description: | The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time author: frack113 date: 2021/12/30 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_silentprocessexit.yml b/rules/windows/registry_set/registry_set_silentprocessexit.yml similarity index 90% rename from rules/windows/registry_set/registry_event_silentprocessexit.yml rename to rules/windows/registry_set/registry_set_silentprocessexit.yml index 08f1c07fb..2f1f92be5 100644 --- a/rules/windows/registry_set/registry_event_silentprocessexit.yml +++ b/rules/windows/registry_set/registry_set_silentprocessexit.yml @@ -7,12 +7,9 @@ references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ date: 2021/02/26 -modified: 2022/01/13 -tags: - - attack.persistence - - attack.t1546.012 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -22,4 +19,7 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high +tags: + - attack.persistence + - attack.t1546.012 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_susp_printer_driver.yml b/rules/windows/registry_set/registry_set_susp_printer_driver.yml similarity index 94% rename from rules/windows/registry_set/registry_event_susp_printer_driver.yml rename to rules/windows/registry_set/registry_set_susp_printer_driver.yml index 1c21ad882..0f3f90a4a 100644 --- a/rules/windows/registry_set/registry_event_susp_printer_driver.yml +++ b/rules/windows/registry_set/registry_set_susp_printer_driver.yml @@ -6,9 +6,9 @@ author: Florian Roth references: - https://twitter.com/SBousseaden/status/1410545674773467140 date: 2020/07/01 -modified: 2022/02/09 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_susp_reg_persist_explorer_run.yml b/rules/windows/registry_set/registry_set_susp_reg_persist_explorer_run.yml similarity index 95% rename from rules/windows/registry_set/registry_event_susp_reg_persist_explorer_run.yml rename to rules/windows/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 31e621931..79344ac32 100755 --- a/rules/windows/registry_set/registry_event_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -6,9 +6,9 @@ author: Florian Roth, oscd.community references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ date: 2018/07/18 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_susp_run_key_img_folder.yml b/rules/windows/registry_set/registry_set_susp_run_key_img_folder.yml similarity index 94% rename from rules/windows/registry_set/registry_event_susp_run_key_img_folder.yml rename to rules/windows/registry_set/registry_set_susp_run_key_img_folder.yml index e4e99540b..d27416050 100755 --- a/rules/windows/registry_set/registry_event_susp_run_key_img_folder.yml +++ b/rules/windows/registry_set/registry_set_susp_run_key_img_folder.yml @@ -6,9 +6,9 @@ references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth, Markus Neis, Sander Wiebing date: 2018/08/25 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_susp_service_installed.yml b/rules/windows/registry_set/registry_set_susp_service_installed.yml similarity index 96% rename from rules/windows/registry_set/registry_event_susp_service_installed.yml rename to rules/windows/registry_set/registry_set_susp_service_installed.yml index 47489812b..dcd941a43 100755 --- a/rules/windows/registry_set/registry_event_susp_service_installed.yml +++ b/rules/windows/registry_set/registry_set_susp_service_installed.yml @@ -6,9 +6,9 @@ author: xknow (@xknow_infosec), xorxes (@xor_xes) references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ date: 2019/04/08 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection_1: diff --git a/rules/windows/registry_set/registry_event_suspicious_keyboard_layout_load.yml b/rules/windows/registry_set/registry_set_suspicious_keyboard_layout_load.yml similarity index 96% rename from rules/windows/registry_set/registry_event_suspicious_keyboard_layout_load.yml rename to rules/windows/registry_set/registry_set_suspicious_keyboard_layout_load.yml index c0f6eed5c..99b08e747 100755 --- a/rules/windows/registry_set/registry_event_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_set/registry_set_suspicious_keyboard_layout_load.yml @@ -7,9 +7,9 @@ references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files date: 2019/10/12 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: diff --git a/rules/windows/registry_set/registry_event_taskcache_entry.yml b/rules/windows/registry_set/registry_set_taskcache_entry.yml similarity index 97% rename from rules/windows/registry_set/registry_event_taskcache_entry.yml rename to rules/windows/registry_set/registry_set_taskcache_entry.yml index c9dc74645..dbd60de43 100644 --- a/rules/windows/registry_set/registry_event_taskcache_entry.yml +++ b/rules/windows/registry_set/registry_set_taskcache_entry.yml @@ -2,17 +2,13 @@ title: New TaskCache Entry id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered status: experimental -tags: - - attack.persistence - - attack.t1053 - - attack.t1053.005 date: 2021/06/18 -modified: 2022/03/03 +modified: 2022/03/26 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ author: Syed Hasan (@syedhasan009) logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -56,4 +52,8 @@ detection: condition: selection and not 1 of filter* falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium +tags: + - attack.persistence + - attack.t1053 + - attack.t1053.005 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_telemetry_persistence.yml b/rules/windows/registry_set/registry_set_telemetry_persistence.yml similarity index 95% rename from rules/windows/registry_set/registry_event_telemetry_persistence.yml rename to rules/windows/registry_set/registry_set_telemetry_persistence.yml index 3aa1029b3..25cfce045 100644 --- a/rules/windows/registry_set/registry_event_telemetry_persistence.yml +++ b/rules/windows/registry_set/registry_set_telemetry_persistence.yml @@ -6,9 +6,9 @@ author: Lednyov Alexey, oscd.community references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ date: 2020/10/16 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' detection: diff --git a/rules/windows/registry_set/registry_event_uac_bypass_winsat.yml b/rules/windows/registry_set/registry_set_uac_bypass_winsat.yml similarity index 91% rename from rules/windows/registry_set/registry_event_uac_bypass_winsat.yml rename to rules/windows/registry_set/registry_set_uac_bypass_winsat.yml index 5280038f2..120ef0e9b 100644 --- a/rules/windows/registry_set/registry_event_uac_bypass_winsat.yml +++ b/rules/windows/registry_set/registry_set_uac_bypass_winsat.yml @@ -3,16 +3,12 @@ id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) author: Christian Burkard date: 2021/08/30 -modified: 2022/01/13 +modified: 2022/03/26 status: experimental references: - https://github.com/hfiref0x/UACME -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -25,3 +21,7 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_uac_bypass_wmp.yml b/rules/windows/registry_set/registry_set_uac_bypass_wmp.yml similarity index 90% rename from rules/windows/registry_set/registry_event_uac_bypass_wmp.yml rename to rules/windows/registry_set/registry_set_uac_bypass_wmp.yml index ea145d3c0..3aab4807b 100644 --- a/rules/windows/registry_set/registry_event_uac_bypass_wmp.yml +++ b/rules/windows/registry_set/registry_set_uac_bypass_wmp.yml @@ -3,16 +3,12 @@ id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) author: Christian Burkard date: 2021/08/23 -modified: 2022/01/13 +modified: 2022/03/26 status: experimental references: - https://github.com/hfiref0x/UACME -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -23,3 +19,7 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_vbs_payload_stored.yml b/rules/windows/registry_set/registry_set_vbs_payload_stored.yml similarity index 96% rename from rules/windows/registry_set/registry_event_vbs_payload_stored.yml rename to rules/windows/registry_set/registry_set_vbs_payload_stored.yml index 0b9e1d609..049dc3869 100644 --- a/rules/windows/registry_set/registry_event_vbs_payload_stored.yml +++ b/rules/windows/registry_set/registry_set_vbs_payload_stored.yml @@ -3,12 +3,12 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 -modified: 2022/03/04 +modified: 2022/03/26 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_set/registry_event_wab_dllpath_reg_change.yml b/rules/windows/registry_set/registry_set_wab_dllpath_reg_change.yml similarity index 92% rename from rules/windows/registry_set/registry_event_wab_dllpath_reg_change.yml rename to rules/windows/registry_set/registry_set_wab_dllpath_reg_change.yml index 195ddd91b..01fec3174 100644 --- a/rules/windows/registry_set/registry_event_wab_dllpath_reg_change.yml +++ b/rules/windows/registry_set/registry_set_wab_dllpath_reg_change.yml @@ -6,14 +6,11 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml - https://twitter.com/Hexacorn/status/991447379864932352 - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -tags: - - attack.defense_evasion - - attack.t1218 date: 2020/10/13 -modified: 2022/01/13 +modified: 2022/03/26 author: oscd.community, Natalia Shornikova logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -25,3 +22,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1218 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_wdigest_enable_uselogoncredential.yml b/rules/windows/registry_set/registry_set_wdigest_enable_uselogoncredential.yml similarity index 93% rename from rules/windows/registry_set/registry_event_wdigest_enable_uselogoncredential.yml rename to rules/windows/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index 93eb30787..b04bafc12 100644 --- a/rules/windows/registry_set/registry_event_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -3,16 +3,13 @@ id: d6a9b252-c666-4de6-8806-5561bbbd3bdc description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials status: experimental date: 2019/09/12 -modified: 2022/02/01 +modified: 2022/03/26 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.defense_evasion - - attack.t1112 references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 logsource: - category: registry_event + category: registry_set product: windows detection: selection: @@ -23,3 +20,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry_set/registry_event_winlogon_notify_key.yml b/rules/windows/registry_set/registry_set_winlogon_notify_key.yml similarity index 92% rename from rules/windows/registry_set/registry_event_winlogon_notify_key.yml rename to rules/windows/registry_set/registry_set_winlogon_notify_key.yml index d79b97472..5a01a196f 100644 --- a/rules/windows/registry_set/registry_event_winlogon_notify_key.yml +++ b/rules/windows/registry_set/registry_set_winlogon_notify_key.yml @@ -5,11 +5,12 @@ description: | Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. author: frack113 date: 2021/12/30 +modified: 2022/03/26 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/tools/config/devo-windows.yml b/tools/config/devo-windows.yml index dbda11524..dcb4da3ad 100644 --- a/tools/config/devo-windows.yml +++ b/tools/config/devo-windows.yml @@ -24,6 +24,9 @@ logsources: windows-category-registry_event: product: windows category: registry_event + windows-category-registry_set: + product: windows + category: registry_set windows-category-process_access: product: windows category: process_access diff --git a/tools/config/fortisiem-windows.yml b/tools/config/fortisiem-windows.yml index 4ea84a5b2..695c7b336 100644 --- a/tools/config/fortisiem-windows.yml +++ b/tools/config/fortisiem-windows.yml @@ -39,6 +39,15 @@ logsources: rewrite: product: windows service: sysmon + registry_set: + category: registry_set + product: windows + conditions: + eventType: + - Win-Sysmon-13-Registry-* + rewrite: + product: windows + service: sysmon file_creation: category: file_event product: windows diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index a325c204c..31df2f1ac 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -118,6 +118,15 @@ logsources: rewrite: product: windows service: sysmon + registry_set: + category: registry_event + product: windows + conditions: + EventID: + - 13 + rewrite: + product: windows + service: sysmon create_stream_hash: category: create_stream_hash product: windows diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 5eff54cfb..ef7a37aa4 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -20,6 +20,16 @@ logsources: rewrite: product: windows service: security + registry_event: + category: registry_set + product: windows + conditions: + EventID: 4657 + OperationType: + - 'Existing registry value modified' + rewrite: + product: windows + service: security fieldmappings: Image: NewProcessName ParentImage: ParentProcessName diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 0ee7d0bde..117776789 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -383,6 +383,11 @@ logsources: - 12 - 13 - 14 + windows-registry-set: + product: windows + category: registry_event + conditions: + vendor_id: 13 qflow: product: qflow netflow: diff --git a/tools/config/thor.yml b/tools/config/thor.yml index b41272129..3d42174dd 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -129,6 +129,14 @@ logsources: rewrite: product: windows service: sysmon + registry_event4: + category: registry_set + product: windows + conditions: + EventID: 13 + rewrite: + product: windows + service: sysmon create_stream_hash: category: create_stream_hash product: windows