security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6bdfddac8edea5e327bf28aed7e6dc4a7f701dc6
sigma-rules/rules/windows/persistence_services_registry.toml
T
Jonhnathan 9bbe26fec0 [Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775) 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml
2022-02-15 09:56:37 -03:00

61 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/11/18"
maturity = "production"
updated_date = "2022/02/14"
[rule]
author = ["Elastic"]
description = """
Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This
could be an indication of an adversary attempting to stealthily persist through abnormal service creation or
modification of an existing service.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Unusual Persistence via Services Registry"
risk_score = 21
rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath") and
not registry.data.strings : ("?:\\windows\\system32\\Drivers\\*.sys",
"\\SystemRoot\\System32\\drivers\\*.sys",
"\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
"system32\\DRIVERS\\USBSTOR") and
not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
not process.executable : ("?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\winsxs\\*\\TiWorker.exe",
"?:\\Windows\\System32\\drvinst.exe",
"?:\\Windows\\System32\\services.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\regsvr32.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.003"
name = "Windows Service"
reference = "https://attack.mitre.org/techniques/T1543/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink