[Rule Tuning] Unusual Persistence via Services Registry (#1077)
* [Rule Tuning] Unusual Persistence via Services Registry * update date Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Samirbous
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/04/07"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,17 +24,19 @@ type = "eql"
|
||||
|
||||
query = '''
|
||||
registry where registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath") and
|
||||
not registry.data.strings : ("C:\\windows\\system32\\Drivers\\*.sys",
|
||||
"\\SystemRoot\\System32\\drivers\\*.sys",
|
||||
not registry.data.strings : ("?:\\windows\\system32\\Drivers\\*.sys",
|
||||
"\\SystemRoot\\System32\\drivers\\*.sys",
|
||||
"\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
|
||||
"system32\\DRIVERS\\USBSTOR") and
|
||||
not (process.name : "procexp??.exe" and registry.data.strings : "C:\\*\\procexp*.sys") and
|
||||
not process.executable : ("C:\\Program Files*\\*.exe",
|
||||
"C:\\Windows\\System32\\svchost.exe",
|
||||
"C:\\Windows\\winsxs\\*\\TiWorker.exe",
|
||||
"C:\\Windows\\System32\\drvinst.exe",
|
||||
"C:\\Windows\\System32\\services.exe",
|
||||
"C:\\Windows\\System32\\msiexec.exe",
|
||||
"C:\\Windows\\System32\\regsvr32.exe")
|
||||
not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
|
||||
not process.executable : ("?:\\Program Files\\*.exe",
|
||||
"?:\\Program Files (x86)\\*.exe",
|
||||
"?:\\Windows\\System32\\svchost.exe",
|
||||
"?:\\Windows\\winsxs\\*\\TiWorker.exe",
|
||||
"?:\\Windows\\System32\\drvinst.exe",
|
||||
"?:\\Windows\\System32\\services.exe",
|
||||
"?:\\Windows\\System32\\msiexec.exe",
|
||||
"?:\\Windows\\System32\\regsvr32.exe")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user