security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Startup or Run Key Registry Modification (#5137)

Browse Source 
* [Tuning] Startup or Run Key Registry Modification

high percentage of the FPs are for programfiles and localappdata files in the registry data string value. This tuning should drop FPs/volume significantly.

* Update rules/windows/persistence_run_key_and_startup_broad.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Samirbous
2025-10-06 09:24:33 +01:00
committed by GitHub
parent b4e9b48ad7
commit 29c4c19d59
1 changed files with 29 additions and 212 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_run_key_and_startup_broad.toml
+29 -212
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/18"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/05/08"
updated_date = "2025/09/18"
[transform]
[[transform.osquery]]
@@ -137,217 +137,34 @@ registry where host.os.type == "windows" and event.type == "change" and
not registry.data.strings : "ctfmon.exe /n" and
not (registry.value : "Application Restart #*" and process.name : "csrss.exe") and
not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
not registry.data.strings : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and
not process.executable : ("?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\SysWOW64\\msiexec.exe") and
not (
/* Logitech G Hub */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "Logitech Inc" and
(
process.name : "lghub_agent.exe" and registry.data.strings : (
"\"?:\\Program Files\\LGHUB\\lghub.exe\" --background",
"\"?:\\Program Files\\LGHUB\\system_tray\\lghub_system_tray.exe\" --minimized"
)
) or
(
process.name : "LogiBolt.exe" and registry.data.strings : (
"?:\\Program Files\\Logi\\LogiBolt\\LogiBolt.exe --startup",
"?:\\Users\\*\\AppData\\Local\\Logi\\LogiBolt\\LogiBolt.exe --startup"
)
)
) or
/* Google Drive File Stream, Chrome, and Google Update */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "Google LLC" and
(
process.name : "GoogleDriveFS.exe" and registry.data.strings : (
"\"?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe\" --startup_mode"
) or
process.name : "chrome.exe" and registry.data.strings : (
"\"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5",
"\"?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5"
) or
process.name : ("GoogleUpdate.exe", "updater.exe") and registry.data.strings : (
"\"?:\\Users\\*\\AppData\\Local\\Google\\Update\\*\\GoogleUpdateCore.exe\"",
"\"?:\\Users\\*\\AppData\\Local\\Google\\GoogleUpdater\\*\\updater.exe\" --wake"
)
)
) or
/* MS Programs */
(
process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation") and
(
process.name : "msedge.exe" and registry.data.strings : (
"\"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5",
"\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --win-session-start",
"\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start"
) or
process.name : ("Update.exe", "Teams.exe", "ms-teamsupdate.exe") and registry.data.strings : (
"?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\Update.exe --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"",
"?:\\ProgramData\\*\\Microsoft\\Teams\\Update.exe --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"",
"ms-teamsupdate.exe -UninstallT20"
) or
process.name : ("OneDrive*.exe", "Microsoft.SharePoint.exe") and registry.data.strings : (
"?:\\Program Files\\Microsoft OneDrive\\OneDrive.exe /background *",
"?:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe /background*",
"\"?:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe\" /background*",
"\"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\??.???.????.????\\Microsoft.SharePoint.exe",
"?:\\Windows\\system32\\cmd.exe /q /c * \"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\*\""
) or
process.name : "MicrosoftEdgeUpdate.exe" and registry.data.strings : (
"\"?:\\Users\\*\\AppData\\Local\\Microsoft\\EdgeUpdate\\*\\MicrosoftEdgeUpdateCore.exe\""
) or
process.executable : "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\Installer\\setup.exe" and
registry.data.strings : (
"\"?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon"
) or
process.name : "BingWallpaper.exe" and registry.data.strings : (
"C:\\Users\\*\\AppData\\Local\\Temp\\*\\UnInstDaemon.exe"
) or
/* Discord Update.exe via reg.exe */
process.name : "reg.exe" and registry.data.strings : (
"\"C:\\Users\\*\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"
)
)
) or
/* Slack */
(
process.code_signature.trusted == true and process.code_signature.subject_name in (
"Slack Technologies, Inc.", "Slack Technologies, LLC"
) and process.name : "slack.exe" and registry.data.strings : (
"\"?:\\Users\\*\\AppData\\Local\\slack\\slack.exe\" --process-start-args --startup",
"\"?:\\ProgramData\\*\\slack\\slack.exe\" --process-start-args --startup",
"\"?:\\Program Files\\Slack\\slack.exe\" --process-start-args --startup"
)
) or
/* Cisco */
(
process.code_signature.trusted == true and process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and
(
process.name : "WebexHost.exe" and registry.data.strings : (
"\"?:\\Users\\*\\AppData\\Local\\WebEx\\WebexHost.exe\" /daemon /runFrom=autorun"
)
) or
(
process.name : "CiscoJabber.exe" and registry.data.strings : (
"\"?:\\Program Files (x86)\\Cisco Systems\\Cisco Jabber\\CiscoJabber.exe\" /min"
)
)
) or
/* Loom */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "Loom, Inc." and
process.name : "Loom.exe" and registry.data.strings : (
"?:\\Users\\*\\AppData\\Local\\Programs\\Loom\\Loom.exe --process-start-args \"--loomHidden\""
)
) or
/* Adobe */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "Adobe Inc." and
process.name : ("Acrobat.exe", "FlashUtil32_*_Plugin.exe") and registry.data.strings : (
"\"?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AdobeCollabSync.exe\"",
"\"?:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\AdobeCollabSync.exe\"",
"?:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\FlashUtil32_*_Plugin.exe -update plugin"
)
) or
/* CCleaner */
(
process.code_signature.trusted == true and
process.code_signature.subject_name in ("PIRIFORM SOFTWARE LIMITED", "Gen Digital Inc.") and
process.name : ("CCleanerBrowser.exe", "CCleaner64.exe") and registry.data.strings : (
"\"C:\\Program Files (x86)\\CCleaner Browser\\Application\\CCleanerBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\"",
"\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"
)
) or
/* Opera */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "Opera Norway AS" and
process.name : ("opera.exe", "assistant_installer.exe") and registry.data.strings : (
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\launcher.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera GX\\launcher.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera GX\\opera.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\assistant\\browser_assistant.exe"
)
) or
/* Avast */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "Avast Software s.r.o." and
process.name : "AvastBrowser.exe" and registry.data.strings : (
"\"?:\\Users\\*\\AppData\\Local\\AVAST Software\\Browser\\Application\\AvastBrowser.exe\" --check-run=src=logon --auto-launch-at-startup*",
"\"?:\\Program Files (x86)\\AVAST Software\\Browser\\Application\\AvastBrowser.exe\" --check-run=src=logon --auto-launch-at-startup*",
""
)
) or
/* Grammarly */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "Grammarly, Inc." and
process.name : "GrammarlyInstaller.exe" and registry.data.strings : (
"?:\\Users\\*\\AppData\\Local\\Grammarly\\DesktopIntegrations\\Grammarly.Desktop.exe",
"\"?:\\Users\\*\\AppData\\Local\\Grammarly\\DesktopIntegrations\\Grammarly.Desktop.exe\""
)
) or
/* AVG */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "AVG Technologies USA, LLC" and
process.name : "AVGBrowser.exe" and registry.data.strings : (
"\"C:\\Program Files\\AVG\\Browser\\Application\\AVGBrowser.exe\"*",
"\"C:\\Users\\*\\AppData\\Local\\AVG\\Browser\\Application\\AVGBrowser.exe\"*"
)
) or
/* HP */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "HP Inc." and
process.name : "ScanToPCActivationApp.exe" and registry.data.strings : (
"\"C:\\Program Files\\HP\\HP*"
)
) or
/* 1Password */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "Agilebits" and
process.name : "1PasswordSetup*.exe" and registry.data.strings : (
"\"C:\\Users\\*\\AppData\\Local\\1Password\\app\\?\\1Password.exe\" --silent"
)
) or
/* OpenVPN */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "OpenVPN Inc." and
process.name : "OpenVPNConnect.exe" and registry.data.strings : (
"C:\\Program Files\\OpenVPN Connect\\OpenVPNConnect.exe --opened-at-login --minimize"
)
) or
/* Docker */
(
process.code_signature.trusted == true and process.code_signature.subject_name == "Docker Inc" and
process.name: "com.docker.backend.exe" and registry.data.strings : (
"C:\\Program Files\\Docker\\Docker\\Docker Desktop.exe -Autostart"
)
)
)
not registry.data.strings : ("*:\\Program Files\\*",
"*:\\Program Files (x86)\\*",
"*:\\Users\\*\\AppData\\Local\\*",
"* --processStart *",
"* --process-start-args *",
"ms-teamsupdate.exe -UninstallT20",
" ",
"grpconv -o", "* /burn.runonce*", "* /startup",
"?:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\FlashUtil32_*_Plugin.exe -update plugin") and
not process.executable : ("?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\SysWOW64\\msiexec.exe",
"D:\\*",
"\\Device\\Mup*",
"C:\\Windows\\SysWOW64\\reg.exe",
"C:\\Windows\\System32\\changepk.exe",
"C:\\Windows\\System32\\netsh.exe",
"C:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe",
"C:\\$WINDOWS.~BT\\Sources\\SetupHost.exe",
"C:\\Program Files\\Cisco Spark\\CiscoCollabHost.exe",
"C:\\Sistemas\\Programas MP\\CCleaner\\CCleaner64.exe",
"C:\\Program Files (x86)\\FastTrack Software\\Admin By Request\\AdminByRequest.exe",
"C:\\Program Files (x86)\\Exclaimer Ltd\\Cloud Signature Update Agent\\Exclaimer.CloudSignatureAgent.exe",
"C:\\ProgramData\\Lenovo\\Vantage\\AddinData\\LenovoBatteryGaugeAddin\\x64\\QSHelper.exe",
"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\*\\Installer\\setup.exe",
"C:\\ProgramData\\bomgar-scc-*\\bomgar-scc.exe",
"C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil*_pepper.exe",
"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.EXE",
"C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*\\AdobeARM.exe")
'''