valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_stickykey_like_backdoor.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 20:07:11 -03:00 committed by GitHub
parent 03ea1375e2
commit 6fc6409c7f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
View File

@ -24,13 +24,13 @@ logsource:
product: windows product: windows
detection: detection:
selection_registry: selection_registry:
TargetObject: TargetObject|endswith:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
EventType: 'SetValue' EventType: 'SetValue'
condition: 1 of them condition: 1 of them
--- ---
@ -39,13 +39,13 @@ logsource:
product: windows product: windows
detection: detection:
selection_process: selection_process:
ParentImage: ParentImage|endswith:
- '*\winlogon.exe' - '\winlogon.exe'
CommandLine: CommandLine|contains:
- '*cmd.exe sethc.exe *' - 'cmd.exe sethc.exe '
- '*cmd.exe utilman.exe *' - 'cmd.exe utilman.exe '
- '*cmd.exe osk.exe *' - 'cmd.exe osk.exe '
- '*cmd.exe Magnify.exe *' - 'cmd.exe Magnify.exe '
- '*cmd.exe Narrator.exe *' - 'cmd.exe Narrator.exe '
- '*cmd.exe DisplaySwitch.exe *' - 'cmd.exe DisplaySwitch.exe '
condition: 1 of them condition: 1 of them