security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cbac37db59b7c5cc8a7055d2d1beff7c53c4ffcb
sigma-rules/rules/windows/persistence_app_compat_shim.toml
T
Jonhnathan 21f23f6d33 [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) 
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules

* Delete test.pkl

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit b47b91b9ec)
2024-04-01 23:52:53 +00:00

57 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/09/02"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/28"
[rule]
author = ["Elastic"]
description = """
Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been
abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
language = "eql"
license = "Elastic License v2"
name = "Installation of Custom Shim Databases"
risk_score = 47
rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where host.os.type == "windows" and event.type in ("creation", "change") and
registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" and
not process.executable :
("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe",
"?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe",
"?:\\Program Files (x86)\\SAP\\SAPsetup\\setup\\NwSapSetup.exe",
"?:\\Program Files (x86)\\SAP\\SapSetup\\OnRebootSvc\\NWSAPSetupOnRebootInstSvc.exe",
"?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.011"
name = "Application Shimming"
reference = "https://attack.mitre.org/techniques/T1546/011/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink