security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modification of AmsiEnable Registry Key - Sysmon support (#1760)

Browse Source 
(cherry picked from commit 9c56b00429)
This commit is contained in:
Jonhnathan
2022-02-11 17:49:38 -03:00
committed by github-actions[bot]
parent 8cad086a2d
commit 817400d0c7
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_amsienable_key_mod.toml
+6 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/06/01"
maturity = "production"
updated_date = "2021/06/01"
updated_date = "2022/02/07"
[rule]
author = ["Elastic"]
@@ -28,8 +28,11 @@ type = "eql"
query = '''
registry where event.type in ("creation", "change") and
registry.path: "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" and
registry.data.strings: "0"
registry.path : (
"HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable",
"HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
) and
registry.data.strings: ("0", "0x00000000")
'''