security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Persistence via Hidden Run Key ValName (#534)

Browse Source 
* [New Rule] Persistence via Hidden Run Key Detected

* added strings length condition

* added description

* Update persistence_via_hidden_run_key_valuename.toml

* Update rules/windows/persistence_via_hidden_run_key_valuename.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* commented length for stability

no logic impact

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-12-08 16:38:23 +01:00
committed by GitHub
parent 929277486d
commit 7d7d010509
1 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_via_hidden_run_key_valuename.toml
+50
View File
@@ -0,0 +1,50 @@
[metadata]
creation_date = "2020/11/15"
maturity = "production"
updated_date = "2020/11/15"
[rule]
author = ["Elastic"]
description = """
Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null
terminated) registry key. An adversary may use this method to hide from system utilities such as
the Registry Editor (regedit).
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*"]
language = "eql"
license = "Elastic License"
name = "Persistence via Hidden Run Key Detected"
references = [
"https://github.com/outflanknl/SharpHide",
"https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf",
]
risk_score = 73
rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
type = "eql"
query = '''
/* Registry Path ends with backslash */
registry where /* length(registry.data.strings) > 0 and */
registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1060"
name = "Registry Run Keys / Startup Folder"
reference = "https://attack.mitre.org/techniques/T1060/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"