valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_registry_persistence_search_order.yml

Browse Source
This commit is contained in:
yugoslavskiy 2020-11-28 18:30:41 +01:00 committed by GitHub
parent 9f8ef95571
commit 39c2258848
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
View File

@ -4,9 +4,9 @@ status: experimental
description: Detects potential COM object hijacking leveraging the COM Search Order
references:
- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
author: Maxime Thiebaut (@0xThiebaut)
author: Maxime Thiebaut (@0xThiebaut), oscd.community
date: 2020/04/14
modified: 2020/09/06
modified: 2020/11/28
tags:
- attack.persistence
- attack.t1038 # an old one
@ -16,7 +16,10 @@ logsource:
product: windows
detection:
selection: # Detect new COM servers in the user hive
TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)'
TargetObject|contains|all:
- 'HKU\'
- '_Classes\CLSID\'
- '\InProcServer32\(Default)'
filter:
- Details|contains: # Exclude privileged directories and observed FPs
- '%%systemroot%%\system32\'