From eb8a0636c524d1a4f933950dfe4b5bbd4e11fb01 Mon Sep 17 00:00:00 2001 From: megan201296 Date: Sun, 14 Apr 2019 11:51:13 -0500 Subject: [PATCH] Update win_mal_ursnif.yml After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique. --- rules/windows/malware/win_mal_ursnif.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml index facc8f8dc..3b19d5120 100644 --- a/rules/windows/malware/win_mal_ursnif.yml +++ b/rules/windows/malware/win_mal_ursnif.yml @@ -15,7 +15,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: 'HKU\Software\AppDataLow\Software\Microsoft\\*' + TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*' condition: selection falsepositives: - Unknown