From 84acf004daddd8d2cdc313b94694db030822bf6b Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 21 Apr 2023 18:43:02 -0300 Subject: [PATCH] [Rule Tuning] Component Object Model Hijacking (#2730) --- ...stence_suspicious_com_hijack_registry.toml | 63 ++++++++++--------- 1 file changed, 33 insertions(+), 30 deletions(-) diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index e8219a006..c9229dea9 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/04/20" [rule] author = ["Elastic"] @@ -75,40 +75,43 @@ type = "eql" query = ''' registry where host.os.type == "windows" and - /* not necessary but good for filtering privileged installations */ - user.domain != "NT AUTHORITY" and + /* not necessary but good for filtering privileged installations */ + user.domain != "NT AUTHORITY" and + ( + ( + registry.path : ("HK*\\InprocServer32\\", "\\REGISTRY\\*\\InprocServer32\\") and + registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*" + ) or -( - (registry.path : ("HK*\\InprocServer32\\", "\\REGISTRY\\*\\InprocServer32\\") and - registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and - not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or - - /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ - (registry.path : ( - "HKEY_USERS\\*\\InprocServer32\\*", - "HKEY_USERS\\*\\LocalServer32\\*", - "HKEY_USERS\\*\\DelegateExecute\\*", - "HKEY_USERS\\*\\TreatAs\\*", - "HKEY_USERS\\*\\ScriptletURL\\*", - "\\REGISTRY\\USER\\*\\InprocServer32\\*", - "\\REGISTRY\\USER\\*\\LocalServer32\\*", - "\\REGISTRY\\USER\\*\\DelegateExecute\\*", - "\\REGISTRY\\USER\\*\\TreatAs\\*", - "\\REGISTRY\\USER\\*\\ScriptletURL\\*" - ) and not - (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and - registry.path : ( - "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\", - "\\REGISTRY\\USER\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\")) - ) or - - (registry.path : ("HKLM\\*\\InProcServer32\\*", "\\REGISTRY\\MACHINE\\*\\InProcServer32\\*") and - registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*")) + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + (registry.path : ( + "HKEY_USERS\\*\\InprocServer32\\", + "HKEY_USERS\\*\\LocalServer32\\", + "HKEY_USERS\\*\\DelegateExecute*", + "HKEY_USERS\\*\\TreatAs*", + "HKEY_USERS\\*\\ScriptletURL*", + "\\REGISTRY\\USER\\*\\InprocServer32\\", + "\\REGISTRY\\USER\\*\\LocalServer32\\", + "\\REGISTRY\\USER\\*\\DelegateExecute*", + "\\REGISTRY\\USER\\*\\TreatAs*", + "\\REGISTRY\\USER\\*\\ScriptletURL*" + ) and not + ( + process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and + registry.path : ( + "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\", + "\\REGISTRY\\USER\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\")) + ) or + ( + registry.path : ("HKLM\\*\\InProcServer32\\*", "\\REGISTRY\\MACHINE\\*\\InProcServer32\\*") and + registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*") + ) ) and /* removes false-positives generated by OneDrive and Teams */ - not process.name : ("OneDrive.exe","OneDriveSetup.exe","FileSyncConfig.exe","Teams.exe") and + not process.name: ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe") and /* Teams DLL loaded by regsvr */ not (process.name: "regsvr32.exe" and registry.data.strings : "*Microsoft.Teams.*.dll")