security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/registry_event/registry_event_disable_fonction_user.yml
T
Florian Roth a50cd510a5 Update registry_event_disable_fonction_user.yml
2022-03-21 12:01:54 +01:00

36 lines
1.5 KiB
YAML
Raw Blame History

title: Disable Internal Tools or Feature in Registry
id: e2482f8d-3443-4237-b906-cc145d87a076
status: experimental
description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md
author: frack113
date: 2022/03/18
logsource:
category: registry_event
product: windows
detection:
selection_set_1:
EventType: SetValue
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools'
- 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskmgr'
- 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
Details: 'DWORD (0x00000001)'
selection_set_0:
EventType: SetValue
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
Details: 'DWORD (0x00000000)'
condition: 1 of selection_set_*
falsepositives:
- Legitim admin script
level: medium
tags:
- attack.defense_evasion
- attack.t1112
Reference in New Issue View Git Blame Copy Permalink