From e9fc8d3d09f48ce9975b03ada2929407e606c486 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 6 Sep 2019 10:13:21 +0200
Subject: [PATCH] rule: split up registry debugger registration rule into two

---
 .../win_install_reg_debugger_backdoor.yml     | 29 +++++++++++++++++++
 .../sysmon/sysmon_reg_debugger_backdoor.yml   | 15 ++--------
 2 files changed, 32 insertions(+), 12 deletions(-)
 create mode 100644 rules/windows/process_creation/win_install_reg_debugger_backdoor.yml

diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
new file mode 100644
index 000000000..033c07897
--- /dev/null
+++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
@@ -0,0 +1,29 @@
+title: Suspicious Debugger Registration Cmdline
+status: experimental
+description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). 
+references: 
+    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1015
+author: Florian Roth
+date: 2019/09/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine:
+            - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
+            - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
+            - '*\CurrentVersion\Image File Execution Options\osk.exe*'
+            - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
+            - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
+            - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
+    condition: selection
+falsepositives:
+    - Penetration Tests
+level: high
+        
diff --git a/rules/windows/sysmon/sysmon_reg_debugger_backdoor.yml b/rules/windows/sysmon/sysmon_reg_debugger_backdoor.yml
index 741804065..9210e83fd 100644
--- a/rules/windows/sysmon/sysmon_reg_debugger_backdoor.yml
+++ b/rules/windows/sysmon/sysmon_reg_debugger_backdoor.yml
@@ -1,4 +1,4 @@
-title: Suspicious Debugger Registration
+title: Suspicious Debugger Registration Registry
 status: experimental
 description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor)
 references: 
@@ -13,16 +13,7 @@ logsource:
     product: windows
     service: sysmon
 detection:
-    selection_proc:
-        EventID: 1
-        CommandLine:
-            - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
-            - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
-            - '*\CurrentVersion\Image File Execution Options\osk.exe*'
-            - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
-            - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
-            - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
-    selection_reg:
+    selection:
         EventID:
             - 12
             - 13
@@ -33,7 +24,7 @@ detection:
             - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
             - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
             - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
-    condition: selection_proc or selection_reg
+    condition: selection
 falsepositives:
     - Penetration Tests
 level: high