security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dfef597794d4daf07eb4e8ebccd78bb64db930d4
sigma-rules/rules/windows/persistence_run_key_and_startup_broad.toml
T
Terrance DeJesus 93edc44284 [Rule Tuning] Timeline Templates For Windows and Linux (#1892) 
* added comprehensive file timeline to Hosts File Modified rule

* added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule

* updated rules to have generic instead of comprehensive

* updated several rules with timeline ID and timeline title values

* changed updated_date for threat intel fleet integrations

* added missing templates to timeline_templates dict in definitions.py

* added comprehensive timeline templates to alerts after definitions.py was updated

* updated rules with comprehensive timeline templates and added min stack comments and versions

* removing timeline template changes which is tracked in #1904

* Update rules/linux/execution_python_tty_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Delete Pipfile

Removing pipfile

* Delete Pipfile.lock

deleting pipfile.lock

* Update rules/windows/execution_command_shell_started_by_svchost.toml

updating title

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2022-04-01 13:44:35 -04:00

74 lines
3.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/11/18"
maturity = "production"
updated_date = "2022/03/31"
min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
min_stack_version = "8.2"
[rule]
author = ["Elastic"]
description = """
Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts,
attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Startup or Run Key Registry Modification"
risk_score = 21
rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
timeline_title = "Comprehensive Registry Timeline"
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where registry.data.strings != null and
registry.path : (
/* Machine Hive */
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*",
/* Users Hive */
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*"
) and
/* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */
not registry.data.strings : "ctfmon.exe /n" and
not (registry.value : "Application Restart #*" and process.name : "csrss.exe") and
user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
not registry.data.strings : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and
not process.executable : ("?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\SysWOW64\\msiexec.exe") and
not (process.name : "OneDriveSetup.exe" and
registry.value : ("Delete Cached Standalone Update Binary", "Delete Cached Update Binary", "amd64", "Uninstall *") and
registry.data.strings : "?:\\Windows\\system32\\cmd.exe /q /c * \"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\*\"")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1547"
name = "Boot or Logon Autostart Execution"
reference = "https://attack.mitre.org/techniques/T1547/"
[[rule.threat.technique.subtechnique]]
id = "T1547.001"
name = "Registry Run Keys / Startup Folder"
reference = "https://attack.mitre.org/techniques/T1547/001/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink