From 7f59fbb23508afdc2974a8b18e039b1fd6d8a011 Mon Sep 17 00:00:00 2001 From: LaZyDK Date: Wed, 24 Nov 2021 12:57:43 +0100 Subject: [PATCH] [Rule Tuning] Component Object Model Hijacking (#1491) * Update persistence_suspicious_com_hijack_registry.toml Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions. * Update updated_date * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Jonhnathan * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Jonhnathan Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan (cherry picked from commit dd3e924e4a5781b1780ae5fdb00fe87c6b0a0694) --- .../windows/persistence_suspicious_com_hijack_registry.toml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 6aa32b4cd..506635a38 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/06/01" +updated_date = "2021/09/22" [rule] author = ["Elastic"] @@ -32,10 +32,12 @@ registry where or /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ (registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\", - "HKEY_USERS\\*Classes\\*\\LocalServer32\\", + "HKEY_USERS\\*Classes\\*\\LocalServer32\\", "HKEY_USERS\\*Classes\\*\\DelegateExecute\\", "HKEY_USERS\\*Classes\\*\\TreatAs\\", "HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and + not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and + registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and /* not necessary but good for filtering privileged installations */ user.domain != "NT AUTHORITY") '''