Merge pull request #2857 from frack113/fix_logsource

Update Registry logsource
2022-03-27 08:42:49 +02:00
parent eec218e82b c13532aea6
commit e34bbfa7f2
17 changed files with 62 additions and 60 deletions
@@ -1,14 +1,15 @@
-title: Logon Scripts (UserInitMprLogonScript) Registry
+title: Logon Scripts Creation in UserInitMprLogonScript Registry
 id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
 status: test
-description: Detects creation or execution of UserInitMprLogonScript persistence method
+description: Detects creation of UserInitMprLogonScript persistence method
 author: Tom Ueltschi (@c_APT_ure)
 references:
  - https://attack.mitre.org/techniques/T1037/
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md
 date: 2019/01/12
-modified: 2021/11/27
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_add
  product: windows
 detection:
  create_keywords_reg:
@@ -12,18 +12,19 @@ references:
    - https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
    - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
    - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
-tags:
-    - attack.defense_evasion
-    - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
 date: 2021/10/07
+modified: 2022/03/26
 author: Christopher Peacock
 level: high
 logsource:
    product: windows
-    category: registry_event
+    category: registry_add
 detection:
    selection1:
        TargetObject|contains: '\software\NetWire'
    condition: selection1
 falsepositives:
    - Unknown
+tags:
+    - attack.defense_evasion
+    - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
@@ -3,21 +3,21 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014
 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
 status: experimental
 date: 2020/05/02
-modified: 2021/05/12
+modified: 2022/03/26
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
-    - attack.defense_evasion
-    - attack.t1070.004
 references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/9
    - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html
 logsource:
    product: windows
-    category: registry_event
+    category: registry_add
 detection:
    selection:
        TargetObject|contains: '\Software\Sysinternals\SDelete'
    condition: selection
 falsepositives:
    - Unknown
-level: medium
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
@@ -4,14 +4,12 @@ status: experimental
 description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
 author: Tobias Michalski
 date: 2022/02/24
+modified: 2022/03/26
 references:
    - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
-tags:
-    - attack.t1564
-    - attack.t1112
 logsource:
    product: windows
-    category: registry_event
+    category: registry_set
 detection:
    selection:
        TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
@@ -20,3 +18,6 @@ detection:
 falsepositives:
    - Legitimate disabling of crashdumps
 level: medium
+tags:
+    - attack.t1564
+    - attack.t1112
@@ -16,8 +16,8 @@ detection:
      - TargetObject|endswith:
                - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
                - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
-      -  # key rename
-        NewName|endswith:
+        #key rename
+      - NewName|endswith:
                - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
                - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
    filter:
@@ -7,14 +7,13 @@ references:
  - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
  - https://www.exploit-db.com/exploits/47696
 date: 2020/09/27
-modified: 2021/11/27
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection:
-    TargetObject:
-      - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
+    TargetObject: 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
  condition: selection
 falsepositives:
  - Unknown
@@ -9,7 +9,7 @@ date: 2020/05/13
 modified: 2022/01/13
 logsource:
  product: windows
-  category: registry_event
+  category: registry_set
 detection:
  selection:
    EventType: SetValue
@@ -8,9 +8,9 @@ references:
  - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
  - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
-modified: 2021/11/27
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection:
@@ -8,9 +8,9 @@ references:
  - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
  - https://www.sans.org/cyber-security-summit/archives
 date: 2020/09/10
-modified: 2021/11/27
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection:
@@ -1,4 +1,4 @@
-title: Registry Persistence Mechanisms
+title: GlobalFlags Registry Persistence Mechanisms
 id: 36803969-5421-41ec-b92f-8500f79c23b0
 status: test
 description: Detects persistence registry keys
@@ -6,9 +6,9 @@ author: Karneades, Jonhnathan Ribeiro
 references:
  - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
 date: 2018/04/11
-modified: 2021/11/27
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection_reg1:
@@ -4,23 +4,23 @@ related:
    - id: c3198a27-23a0-4c2c-af19-e5328d49680e
      type: derived
 date: 2020/05/14
-modified: 2021/09/11
+modified: 2022/03/26
 status: experimental
 description: Attempts to detect system changes made by Blue Mockingbird
 references:
    - https://redcanary.com/blog/blue-mockingbird-cryptominer/
-tags:
-    - attack.execution
-    - attack.t1112
-    - attack.t1047
 author: Trent Liffick (@tliffick)
 logsource:
  product: windows
-  category: registry_event
+  category: registry_set
 detection:
  mod_reg:
    TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
  condition: mod_reg
 falsepositives:
    - Unknown
-level: high
+level: high
+tags:
+    - attack.execution
+    - attack.t1112
+    - attack.t1047
@@ -7,10 +7,10 @@ references:
  - https://github.com/OTRF/detection-hackathon-apt29/issues/1
  - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
 date: 2020/05/02
-modified: 2021/11/27
+modified: 2022/03/26
 logsource:
  product: windows
-  category: registry_event
+  category: registry_set
 detection:
  selection:
    TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
@@ -4,16 +4,13 @@ status: experimental
 description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
 author: Trent Liffick (@tliffick)
 date: 2020/05/22
-modified: 2022/01/10
+modified: 2022/03/26
 references:
    - https://twitter.com/inversecos/status/1494174785621819397
    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
-tags:
-    - attack.defense_evasion
-    - attack.t1112
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    sec_settings:
@@ -25,3 +22,6 @@ detection:
 falsepositives:
    - Valid Macros and/or internal documents
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1112
@@ -7,26 +7,26 @@ references:
  - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
 author: Tobias Michalski
 date: 2021/06/09
-modified: 2022/02/09
-tags:
-  - attack.persistence
-  - attack.t1112
+modified: 2022/03/26
 logsource:
  product: windows
-  category: registry_event
+  category: registry_set
 detection:
-  selection1:
+  selection_1:
    TargetObject|contains: 
      - '\Software\Microsoft\Office\'
      - '\Outlook\WebView\'
    TargetObject|endswith: '\URL'
-  selection2:
+  selection_2:
    TargetObject|contains: 
      - '\Calendar\'
      - '\Inbox\'
-  condition: selection1 and selection2
+  condition: all of selection_*
 fields:
  - Details
 falsepositives:
  - Unknown
 level: high
+tags:
+  - attack.persistence
+  - attack.t1112
@@ -9,9 +9,9 @@ references:
  - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03
  - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/
 date: 2019/04/03
-modified: 2021/12/31
+modified: 2022/03/26
 logsource:
-  category: registry_event
+  category: registry_set
  product: windows
 detection:
  selection_reg:
@@ -7,10 +7,10 @@ references:
    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
 author: Florian Roth
 date: 2017/03/19
-modified: 2021/09/12
+modified: 2022/03/26
 logsource:
    product: windows
-    category: registry_event
+    category: registry_set
 detection:
    methregistry:
        TargetObject|startswith: 'HKCU\'
@@ -7,9 +7,9 @@ references:
    - https://github.com/hfiref0x/UACME
 author: Omer Yampel, Christian Burkard
 date: 2017/03/17
-modified: 2022/01/13
+modified: 2022/03/26
 logsource:
-    category: registry_event
+    category: registry_set
    product: windows
 detection:
    selection1: