valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
415ced0023
SigmaHQ/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml

30 lines
1.1 KiB
YAML
Raw Normal View History

Added rules files split into folders
2020-06-10 14:32:30 +00:00
title: Security Support Provider (SSP) Added to LSA Configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: experimental
description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
- https://attack.mitre.org/techniques/T1101/
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
tags:
- attack.persistence
att&ck tags review: windows/registry_event
2020-09-06 19:08:27 +00:00
- attack.t1101 # an old one
- attack.t1547.005
Added rules files split into folders
2020-06-10 14:32:30 +00:00
author: iwillkeepwatch
date: 2019/01/18
att&ck tags review: windows/registry_event
2020-09-06 19:08:27 +00:00
modified: 2020/09/06
Added rules files split into folders
2020-06-10 14:32:30 +00:00
logsource:
category: registry_event
product: windows
detection:
selection_registry:
TargetObject:
- 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages'
- 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages'
exclusion_images:
- Image: C:\Windows\system32\msiexec.exe
- Image: C:\Windows\syswow64\MsiExec.exe
condition: selection_registry and not exclusion_images
falsepositives:
- Unlikely
level: critical
Reference in New Issue Copy Permalink