security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
724e34ba95ffb48d13e18a91c547800986164572
sigma-rules/rules_building_block/discovery_generic_registry_query.toml
T
Justin Ibarra a6c5cfc418 [Rule Tuning] Optimize query for Query Registry using Built-in Tools (#3330) 
* [Rule Tuning] Optimize query for Query Registry using Built-in Tools

* reduce history window to 7d

* use args vs command_line wildcards

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
2023-12-14 19:55:36 -07:00

73 lines
2.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/07/13"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/12/13"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the
registry to gain situational awareness about the host, like installed security software, programs and settings.
"""
from = "now-24h"
index = ["logs-endpoint.events.process*"]
interval = "24h"
language = "kuery"
license = "Elastic License v2"
name = "Query Registry using Built-in Tools"
risk_score = 21
rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c"
severity = "low"
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:windows and event.category:process and event.type:start and
(
(process.name.caseless:"reg.exe" and process.args:"query") or
(process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and
process.args:(
("get-childitem" or "Get-ChildItem" or "gci" or "dir" or "ls" or
"get-item" or "Get-Item" or "gi" or
"get-itemproperty" or "Get-ItemProperty" or "gp") and
("hkcu" or "HKCU" or "hkey_current_user" or "HKEY_CURRENT_USER" or
"hkey_local_machine" or "HKEY_LOCAL_MACHINE" or
"hklm" or "HKLM" or registry\:\:*)
)
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1012"
name = "Query Registry"
reference = "https://attack.mitre.org/techniques/T1012/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
Reference in New Issue View Git Blame Copy Permalink