security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Component Object Model Hijacking (#1491)

Browse Source 
* Update persistence_suspicious_com_hijack_registry.toml

Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.

* Update updated_date

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit dd3e924e4a)
This commit is contained in:
LaZyDK
2021-11-24 12:57:43 +01:00
committed by github-actions[bot]
parent 3e5ed57546
commit 7f59fbb235
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_suspicious_com_hijack_registry.toml
+4 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/18"
maturity = "production"
updated_date = "2021/06/01"
updated_date = "2021/09/22"
[rule]
author = ["Elastic"]
@@ -32,10 +32,12 @@ registry where
or
/* in general COM Registry changes on Users Hive is less noisy and worth alerting */
(registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\",
"HKEY_USERS\\*Classes\\*\\LocalServer32\\",
"HKEY_USERS\\*Classes\\*\\LocalServer32\\",
"HKEY_USERS\\*Classes\\*\\DelegateExecute\\",
"HKEY_USERS\\*Classes\\*\\TreatAs\\",
"HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and
not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and
registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and
/* not necessary but good for filtering privileged installations */
user.domain != "NT AUTHORITY")
'''