security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

filter on createkey only when needed

Browse Source
This commit is contained in:
ecco
2020-05-22 10:37:00 -04:00
parent 0dd089db47
commit ec17c2ab56
3 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/sysmon/sysmon_cmstp_execution.yml
+1
View File
@@ -31,6 +31,7 @@ detection:
selection2:
EventID: 12
TargetObject: '*\cmmgr32.exe*'
EventType: 'CreateKey'
# Registry Object Value Set
selection3:
EventID: 13
rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
+1
View File
@@ -18,6 +18,7 @@ detection:
- EventID: 12 # key create
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
EventType: 'CreateKey' # we don't want deletekey
- EventID: 14 # key rename
NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: selection
rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
+1
View File
@@ -16,6 +16,7 @@ logsource:
detection:
selection:
EventID: 12
EventType: 'CreateKey' # don't want DeleteKey events
TargetObject: 'HKU\\*_Classes\CLSID\\*\TreatAs'
condition: selection
falsepositives: