security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #892 from rtkbkish/registry-event-fixes

Browse Source 
Fixes for rules in new sysmon registry_event category
This commit is contained in:
Florian Roth
2020-07-05 13:12:04 +02:00
committed by GitHub
parent 80f15a1e50 4b31633355
commit facd578324
2 changed files with 3 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
+1 -2
View File
@@ -15,8 +15,7 @@ logsource:
product: windows
detection:
selection:
- EventID: 12 # key create
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
EventType: 'CreateKey' # we don't want deletekey
- # key rename
rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
+2 -5
View File
@@ -17,12 +17,9 @@ logsource:
product: windows
detection:
selection:
- EventID:
- 12 # key create
- 13 # value set
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
- # key rename
- # key rename
NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
condition: selection
fields: