From f8962bec987f20514103abea44a06f7161a45541 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 19 Dec 2021 10:35:39 +0100 Subject: [PATCH] Aurora FP --- ...ysmon_asep_reg_keys_modification_currentversion.yml | 10 +++++++--- .../sysmon_asep_reg_keys_modification_wow6432node.yml | 10 +++++++--- .../sysmon_registry_persistence_search_order.yml | 6 +++++- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml index 16f392ac1..574c513c8 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/18 +modified: 2021/12/19 logsource: category: registry_event product: windows @@ -36,13 +36,17 @@ detection: - '\Authentication\PLAP Providers' - '\Authentication\Credential Providers' - '\Authentication\Credential Provider Filters' - filter: + filter_all: - Details: '(Empty)' - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount' - Image|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe - Image: - 'C:\WINDOWS\system32\devicecensus.exe' - condition: current_version_base and current_version and not filter + filter_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' + condition: current_version_base and current_version and not 1 of filter_* fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml index dd255205a..e7d956008 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2021/12/19 logsource: category: registry_event product: windows @@ -27,9 +27,13 @@ detection: - '\Explorer\ShellExecuteHooks' - '\Explorer\SharedTaskScheduler' - '\Explorer\Browser Helper Objects' - filter: + filter_empty: Details: '(Empty)' - condition: wow_current_version_base and wow_current_version and not filter + filter_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' + condition: wow_current_version_base and wow_current_version and not 1 of filter_* fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 0712e079b..7669904a7 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2021/12/16 +modified: 2021/12/19 tags: - attack.persistence - attack.t1546.015 @@ -48,6 +48,10 @@ detection: Image|contains|all: - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - '\MsMpEng.exe' + filter_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level