valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #2036 from frack113/sysmon_registry_persistence_search_order

Browse Source 
[Turla Mosquito] fix detection from references
This commit is contained in:
frack113 2021-09-17 06:36:46 +02:00 committed by GitHub
commit 158746a904
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
View File

@ -6,7 +6,7 @@ references:
- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
date: 2020/04/14
modified: 2021/08/14
modified: 2021/09/16
tags:
- attack.persistence
- attack.t1038 # an old one
@ -16,10 +16,10 @@ logsource:
product: windows
detection:
selection: # Detect new COM servers in the user hive
TargetObject|contains|all:
- 'HKU\'
- '_Classes\CLSID\'
- '\InProcServer32\(Default)'
TargetObject|startswith:
- 'HKCR\CLSID\'
- 'HKCU\Software\Classes\CLSID\'
TargetObject|endswith: '\InprocServer32\(Default)'
filter1:
Details|contains: # Exclude privileged directories and observed FPs
- '%%systemroot%%\system32\'