From c13532aea6d63f5389d0af8363961d343fbed8e9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 26 Mar 2022 16:57:58 +0100 Subject: [PATCH] Update logsource --- ...logon_scripts_userinitmprlogonscript_reg.yml} | 9 +++++---- .../registry_add_mal_netwire.yml} | 9 +++++---- ...y_add_sysinternals_sdelete_registry_keys.yml} | 12 ++++++------ .../registry_event_crashdump_disabled.yml | 9 +++++---- ...ew_dll_added_to_appinit_dlls_registry_key.yml | 4 ++-- .../registry_set_comhijack_sdclt.yml} | 7 +++---- ...istry_set_cve_2020_1048_new_printer_port.yml} | 2 +- .../registry_set_dhcp_calloutdll.yml} | 4 ++-- ..._set_enabling_cor_profiler_env_variables.yml} | 4 ++-- .../registry_set_globalflags_persistence.yml} | 6 +++--- .../registry_set_mal_blue_mockingbird.yml} | 14 +++++++------- .../registry_set_new_application_appcompat.yml} | 4 ++-- .../registry_set_office_security.yml} | 10 +++++----- .../registry_set_outlook_registry_webview.yml} | 16 ++++++++-------- .../registry_set_rdp_settings_hijack.yml} | 4 ++-- .../registry_set_uac_bypass_eventvwr.yml} | 4 ++-- .../registry_set_uac_bypass_sdclt.yml} | 4 ++-- 17 files changed, 62 insertions(+), 60 deletions(-) rename rules/windows/{registry_event/registry_event_logon_scripts_userinitmprlogonscript_reg.yml => registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml} (61%) rename rules/windows/{registry_event/registry_event_mal_netwire.yml => registry_add/registry_add_mal_netwire.yml} (93%) rename rules/windows/{registry_event/registry_event_sysinternals_sdelete_registry_keys.yml => registry_add/registry_add_sysinternals_sdelete_registry_keys.yml} (89%) rename rules/windows/{registry_event/registry_event_comhijack_sdclt.yml => registry_set/registry_set_comhijack_sdclt.yml} (78%) rename rules/windows/{registry_event/registry_event_cve_2020_1048.yml => registry_set/registry_set_cve_2020_1048_new_printer_port.yml} (96%) rename rules/windows/{registry_event/registry_event_dhcp_calloutdll.yml => registry_set/registry_set_dhcp_calloutdll.yml} (94%) rename rules/windows/{registry_event/registry_event_enabling_cor_profiler_env_variables.yml => registry_set/registry_set_enabling_cor_profiler_env_variables.yml} (94%) rename rules/windows/{registry_event/registry_event_persistence.yml => registry_set/registry_set_globalflags_persistence.yml} (90%) rename rules/windows/{registry_event/registry_event_mal_blue_mockingbird.yml => registry_set/registry_set_mal_blue_mockingbird.yml} (88%) rename rules/windows/{registry_event/registry_event_new_application_appcompat.yml => registry_set/registry_set_new_application_appcompat.yml} (95%) rename rules/windows/{registry_event/registry_event_office_security.yml => registry_set/registry_set_office_security.yml} (93%) rename rules/windows/{registry_event/registry_event_outlook_registry_webview.yml => registry_set/registry_set_outlook_registry_webview.yml} (86%) rename rules/windows/{registry_event/registry_event_rdp_settings_hijack.yml => registry_set/registry_set_rdp_settings_hijack.yml} (96%) rename rules/windows/{registry_event/registry_event_uac_bypass_eventvwr.yml => registry_set/registry_set_uac_bypass_eventvwr.yml} (91%) rename rules/windows/{registry_event/registry_event_uac_bypass_sdclt.yml => registry_set/registry_set_uac_bypass_sdclt.yml} (92%) diff --git a/rules/windows/registry_event/registry_event_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml similarity index 61% rename from rules/windows/registry_event/registry_event_logon_scripts_userinitmprlogonscript_reg.yml rename to rules/windows/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml index 0ed72dfb4..d2230d682 100644 --- a/rules/windows/registry_event/registry_event_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml @@ -1,14 +1,15 @@ -title: Logon Scripts (UserInitMprLogonScript) Registry +title: Logon Scripts Creation in UserInitMprLogonScript Registry id: 9ace0707-b560-49b8-b6ca-5148b42f39fb status: test -description: Detects creation or execution of UserInitMprLogonScript persistence method +description: Detects creation of UserInitMprLogonScript persistence method author: Tom Ueltschi (@c_APT_ure) references: - https://attack.mitre.org/techniques/T1037/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md date: 2019/01/12 -modified: 2021/11/27 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_add product: windows detection: create_keywords_reg: diff --git a/rules/windows/registry_event/registry_event_mal_netwire.yml b/rules/windows/registry_add/registry_add_mal_netwire.yml similarity index 93% rename from rules/windows/registry_event/registry_event_mal_netwire.yml rename to rules/windows/registry_add/registry_add_mal_netwire.yml index 0f63e54a6..753e94bb5 100644 --- a/rules/windows/registry_event/registry_event_mal_netwire.yml +++ b/rules/windows/registry_add/registry_add_mal_netwire.yml @@ -12,18 +12,19 @@ references: - https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ -tags: - - attack.defense_evasion - - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary date: 2021/10/07 +modified: 2022/03/26 author: Christopher Peacock level: high logsource: product: windows - category: registry_event + category: registry_add detection: selection1: TargetObject|contains: '\software\NetWire' condition: selection1 falsepositives: - Unknown +tags: + - attack.defense_evasion + - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml similarity index 89% rename from rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml rename to rules/windows/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml index fa92b605d..e48efbae7 100644 --- a/rules/windows/registry_event/registry_event_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml @@ -3,21 +3,21 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. status: experimental date: 2020/05/02 -modified: 2021/05/12 +modified: 2022/03/26 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.defense_evasion - - attack.t1070.004 references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html logsource: product: windows - category: registry_event + category: registry_add detection: selection: TargetObject|contains: '\Software\Sysinternals\SDelete' condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium +tags: + - attack.defense_evasion + - attack.t1070.004 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_crashdump_disabled.yml b/rules/windows/registry_event/registry_event_crashdump_disabled.yml index 8422e8ca8..be96ca227 100644 --- a/rules/windows/registry_event/registry_event_crashdump_disabled.yml +++ b/rules/windows/registry_event/registry_event_crashdump_disabled.yml @@ -4,14 +4,12 @@ status: experimental description: Detects disabling the CrashDump per registry (as used by HermeticWiper) author: Tobias Michalski date: 2022/02/24 +modified: 2022/03/26 references: - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ -tags: - - attack.t1564 - - attack.t1112 logsource: product: windows - category: registry_event + category: registry_set detection: selection: TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl' @@ -20,3 +18,6 @@ detection: falsepositives: - Legitimate disabling of crashdumps level: medium +tags: + - attack.t1564 + - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index df6b7b4d8..08baeb45e 100755 --- a/rules/windows/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -16,8 +16,8 @@ detection: - TargetObject|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - # key rename - NewName|endswith: + #key rename + - NewName|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' filter: diff --git a/rules/windows/registry_event/registry_event_comhijack_sdclt.yml b/rules/windows/registry_set/registry_set_comhijack_sdclt.yml similarity index 78% rename from rules/windows/registry_event/registry_event_comhijack_sdclt.yml rename to rules/windows/registry_set/registry_set_comhijack_sdclt.yml index 96217d7a8..9b419a609 100644 --- a/rules/windows/registry_event/registry_event_comhijack_sdclt.yml +++ b/rules/windows/registry_set/registry_set_comhijack_sdclt.yml @@ -7,14 +7,13 @@ references: - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass - https://www.exploit-db.com/exploits/47696 date: 2020/09/27 -modified: 2021/11/27 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: - TargetObject: - - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' + TargetObject: 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry_event/registry_event_cve_2020_1048.yml b/rules/windows/registry_set/registry_set_cve_2020_1048_new_printer_port.yml similarity index 96% rename from rules/windows/registry_event/registry_event_cve_2020_1048.yml rename to rules/windows/registry_set/registry_set_cve_2020_1048_new_printer_port.yml index c5e24e178..ee73d996a 100644 --- a/rules/windows/registry_event/registry_event_cve_2020_1048.yml +++ b/rules/windows/registry_set/registry_set_cve_2020_1048_new_printer_port.yml @@ -9,7 +9,7 @@ date: 2020/05/13 modified: 2022/01/13 logsource: product: windows - category: registry_event + category: registry_set detection: selection: EventType: SetValue diff --git a/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml b/rules/windows/registry_set/registry_set_dhcp_calloutdll.yml similarity index 94% rename from rules/windows/registry_event/registry_event_dhcp_calloutdll.yml rename to rules/windows/registry_set/registry_set_dhcp_calloutdll.yml index 1ad7fb060..423cf4f0e 100755 --- a/rules/windows/registry_event/registry_event_dhcp_calloutdll.yml +++ b/rules/windows/registry_set/registry_set_dhcp_calloutdll.yml @@ -8,9 +8,9 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx date: 2017/05/15 -modified: 2021/11/27 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_event/registry_event_enabling_cor_profiler_env_variables.yml b/rules/windows/registry_set/registry_set_enabling_cor_profiler_env_variables.yml similarity index 94% rename from rules/windows/registry_event/registry_event_enabling_cor_profiler_env_variables.yml rename to rules/windows/registry_set/registry_set_enabling_cor_profiler_env_variables.yml index 555dcc6da..90c29abd7 100644 --- a/rules/windows/registry_event/registry_event_enabling_cor_profiler_env_variables.yml +++ b/rules/windows/registry_set/registry_set_enabling_cor_profiler_env_variables.yml @@ -8,9 +8,9 @@ references: - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors - https://www.sans.org/cyber-security-summit/archives date: 2020/09/10 -modified: 2021/11/27 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection: diff --git a/rules/windows/registry_event/registry_event_persistence.yml b/rules/windows/registry_set/registry_set_globalflags_persistence.yml similarity index 90% rename from rules/windows/registry_event/registry_event_persistence.yml rename to rules/windows/registry_set/registry_set_globalflags_persistence.yml index 7af6f2753..0134365bc 100755 --- a/rules/windows/registry_event/registry_event_persistence.yml +++ b/rules/windows/registry_set/registry_set_globalflags_persistence.yml @@ -1,4 +1,4 @@ -title: Registry Persistence Mechanisms +title: GlobalFlags Registry Persistence Mechanisms id: 36803969-5421-41ec-b92f-8500f79c23b0 status: test description: Detects persistence registry keys @@ -6,9 +6,9 @@ author: Karneades, Jonhnathan Ribeiro references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11 -modified: 2021/11/27 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection_reg1: diff --git a/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml b/rules/windows/registry_set/registry_set_mal_blue_mockingbird.yml similarity index 88% rename from rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml rename to rules/windows/registry_set/registry_set_mal_blue_mockingbird.yml index 1544a4286..fdde0880b 100644 --- a/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml +++ b/rules/windows/registry_set/registry_set_mal_blue_mockingbird.yml @@ -4,23 +4,23 @@ related: - id: c3198a27-23a0-4c2c-af19-e5328d49680e type: derived date: 2020/05/14 -modified: 2021/09/11 +modified: 2022/03/26 status: experimental description: Attempts to detect system changes made by Blue Mockingbird references: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ -tags: - - attack.execution - - attack.t1112 - - attack.t1047 author: Trent Liffick (@tliffick) logsource: product: windows - category: registry_event + category: registry_set detection: mod_reg: TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' condition: mod_reg falsepositives: - Unknown -level: high \ No newline at end of file +level: high +tags: + - attack.execution + - attack.t1112 + - attack.t1047 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_new_application_appcompat.yml b/rules/windows/registry_set/registry_set_new_application_appcompat.yml similarity index 95% rename from rules/windows/registry_event/registry_event_new_application_appcompat.yml rename to rules/windows/registry_set/registry_set_new_application_appcompat.yml index 0f58ac137..cccb2b37f 100644 --- a/rules/windows/registry_event/registry_event_new_application_appcompat.yml +++ b/rules/windows/registry_set/registry_set_new_application_appcompat.yml @@ -7,10 +7,10 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/1 - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/03/26 logsource: product: windows - category: registry_event + category: registry_set detection: selection: TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\' diff --git a/rules/windows/registry_event/registry_event_office_security.yml b/rules/windows/registry_set/registry_set_office_security.yml similarity index 93% rename from rules/windows/registry_event/registry_event_office_security.yml rename to rules/windows/registry_set/registry_set_office_security.yml index 9f0c5fcbe..cc20f00f9 100644 --- a/rules/windows/registry_event/registry_event_office_security.yml +++ b/rules/windows/registry_set/registry_set_office_security.yml @@ -4,16 +4,13 @@ status: experimental description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) author: Trent Liffick (@tliffick) date: 2020/05/22 -modified: 2022/01/10 +modified: 2022/03/26 references: - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ -tags: - - attack.defense_evasion - - attack.t1112 logsource: - category: registry_event + category: registry_set product: windows detection: sec_settings: @@ -25,3 +22,6 @@ detection: falsepositives: - Valid Macros and/or internal documents level: high +tags: + - attack.defense_evasion + - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_outlook_registry_webview.yml b/rules/windows/registry_set/registry_set_outlook_registry_webview.yml similarity index 86% rename from rules/windows/registry_event/registry_event_outlook_registry_webview.yml rename to rules/windows/registry_set/registry_set_outlook_registry_webview.yml index 64ded1cfb..d400ec7a0 100644 --- a/rules/windows/registry_event/registry_event_outlook_registry_webview.yml +++ b/rules/windows/registry_set/registry_set_outlook_registry_webview.yml @@ -7,26 +7,26 @@ references: - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us author: Tobias Michalski date: 2021/06/09 -modified: 2022/02/09 -tags: - - attack.persistence - - attack.t1112 +modified: 2022/03/26 logsource: product: windows - category: registry_event + category: registry_set detection: - selection1: + selection_1: TargetObject|contains: - '\Software\Microsoft\Office\' - '\Outlook\WebView\' TargetObject|endswith: '\URL' - selection2: + selection_2: TargetObject|contains: - '\Calendar\' - '\Inbox\' - condition: selection1 and selection2 + condition: all of selection_* fields: - Details falsepositives: - Unknown level: high +tags: + - attack.persistence + - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml b/rules/windows/registry_set/registry_set_rdp_settings_hijack.yml similarity index 96% rename from rules/windows/registry_event/registry_event_rdp_settings_hijack.yml rename to rules/windows/registry_set/registry_set_rdp_settings_hijack.yml index ff45084c2..c4447c650 100755 --- a/rules/windows/registry_event/registry_event_rdp_settings_hijack.yml +++ b/rules/windows/registry_set/registry_set_rdp_settings_hijack.yml @@ -9,9 +9,9 @@ references: - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ date: 2019/04/03 -modified: 2021/12/31 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection_reg: diff --git a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/windows/registry_set/registry_set_uac_bypass_eventvwr.yml similarity index 91% rename from rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml rename to rules/windows/registry_set/registry_set_uac_bypass_eventvwr.yml index 137219d47..2854b5e9c 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -7,10 +7,10 @@ references: - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth date: 2017/03/19 -modified: 2021/09/12 +modified: 2022/03/26 logsource: product: windows - category: registry_event + category: registry_set detection: methregistry: TargetObject|startswith: 'HKCU\' diff --git a/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml b/rules/windows/registry_set/registry_set_uac_bypass_sdclt.yml similarity index 92% rename from rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml rename to rules/windows/registry_set/registry_set_uac_bypass_sdclt.yml index 01bc5c6c6..314f753d4 100755 --- a/rules/windows/registry_event/registry_event_uac_bypass_sdclt.yml +++ b/rules/windows/registry_set/registry_set_uac_bypass_sdclt.yml @@ -7,9 +7,9 @@ references: - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2022/01/13 +modified: 2022/03/26 logsource: - category: registry_event + category: registry_set product: windows detection: selection1: