From 7d7d010509b62fe3bef835f6dbe950c6d682c9ef Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 8 Dec 2020 16:38:23 +0100 Subject: [PATCH] [New Rule] Persistence via Hidden Run Key ValName (#534) * [New Rule] Persistence via Hidden Run Key Detected * added strings length condition * added description * Update persistence_via_hidden_run_key_valuename.toml * Update rules/windows/persistence_via_hidden_run_key_valuename.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * commented length for stability no logic impact * eql syntax * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...sistence_via_hidden_run_key_valuename.toml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/windows/persistence_via_hidden_run_key_valuename.toml diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml new file mode 100644 index 000000000..17a869ca6 --- /dev/null +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/11/15" +maturity = "production" +updated_date = "2020/11/15" + +[rule] +author = ["Elastic"] +description = """ +Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null +terminated) registry key. An adversary may use this method to hide from system utilities such as +the Registry Editor (regedit). +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "winlogbeat-*"] +language = "eql" +license = "Elastic License" +name = "Persistence via Hidden Run Key Detected" +references = [ + "https://github.com/outflanknl/SharpHide", + "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf", +] +risk_score = 73 +rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +type = "eql" + +query = ''' +/* Registry Path ends with backslash */ +registry where /* length(registry.data.strings) > 0 and */ + registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1060" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1060/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"