valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_stickykey_like_backdoor.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 20:07:11 -03:00 committed by GitHub
parent 03ea1375e2
commit 6fc6409c7f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
View File

@ -24,13 +24,13 @@ logsource:
product: windows
detection:
selection_registry:
TargetObject:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
TargetObject|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
EventType: 'SetValue'
condition: 1 of them
---
@ -39,13 +39,13 @@ logsource:
product: windows
detection:
selection_process:
ParentImage:
- '*\winlogon.exe'
CommandLine:
- '*cmd.exe sethc.exe *'
- '*cmd.exe utilman.exe *'
- '*cmd.exe osk.exe *'
- '*cmd.exe Magnify.exe *'
- '*cmd.exe Narrator.exe *'
- '*cmd.exe DisplaySwitch.exe *'
ParentImage|endswith:
- '\winlogon.exe'
CommandLine|contains:
- 'cmd.exe sethc.exe '
- 'cmd.exe utilman.exe '
- 'cmd.exe osk.exe '
- 'cmd.exe Magnify.exe '
- 'cmd.exe Narrator.exe '
- 'cmd.exe DisplaySwitch.exe '
condition: 1 of them