security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e88c2d024fa6ef5e0cfd8ea7a55d90a84304868
sigma-rules/rules_building_block/discovery_generic_registry_query.toml
T
Jonhnathan 21f23f6d33 [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) 
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules

* Delete test.pkl

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit b47b91b9ec)
2024-04-01 23:52:53 +00:00

73 lines
2.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/07/13"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/12/13"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the
registry to gain situational awareness about the host, like installed security software, programs and settings.
"""
from = "now-24h"
index = ["logs-endpoint.events.process-*"]
interval = "24h"
language = "kuery"
license = "Elastic License v2"
name = "Query Registry using Built-in Tools"
risk_score = 21
rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c"
severity = "low"
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:windows and event.category:process and event.type:start and
(
(process.name.caseless:"reg.exe" and process.args:"query") or
(process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and
process.args:(
("get-childitem" or "Get-ChildItem" or "gci" or "dir" or "ls" or
"get-item" or "Get-Item" or "gi" or
"get-itemproperty" or "Get-ItemProperty" or "gp") and
("hkcu" or "HKCU" or "hkey_current_user" or "HKEY_CURRENT_USER" or
"hkey_local_machine" or "HKEY_LOCAL_MACHINE" or
"hklm" or "HKLM" or registry\:\:*)
)
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1012"
name = "Query Registry"
reference = "https://attack.mitre.org/techniques/T1012/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
Reference in New Issue View Git Blame Copy Permalink