Merge pull request #2021 from frack113/global_registry

Split registry Global rules

rules/windows/process_creation/process_creation_apt_pandemic.yml

@@ -0,0 +1,33 @@
+title: Pandemic Registry Key
+id: 9fefd33c-339d-4495-9cba-b96ca006f512
+related:
+    - id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
+      type: derived
+status: experimental
+description: Detects Pandemic Windows Implant
+references:
+    - https://wikileaks.org/vault7/#Pandemic
+    - https://twitter.com/MalwareJake/status/870349480356454401
+tags:
+    - attack.lateral_movement
+    - attack.t1105
+author: Florian Roth
+date: 2017/06/01
+modified: 2021/09/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: 'loaddll -a '
+    condition: selection
+falsepositives:
+    - unknown
+level: critical
+fields:
+    - EventID
+    - CommandLine
+    - ParentCommandLine
+    - Image
+    - User
+    - TargetObject

rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml

@@ -1,39 +1,21 @@
-action: global
 title: DNS ServerLevelPluginDll Install
+id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
+related:
+    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
+      type: derived
 status: experimental
 description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
     (restart required)
 references:
     - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
 date: 2017/05/08
-modified: 2020/09/06
+modified: 2021/09/12
 author: Florian Roth
 tags:
     - attack.defense_evasion
     - attack.t1073 # an old one
     - attack.t1574.002
     - attack.t1112
-fields:
-    - EventID
-    - CommandLine
-    - ParentCommandLine
-    - Image
-    - User
-    - TargetObject
-falsepositives:
-    - unknown
-level: high
----
-id: e61e8a88-59a9-451c-874e-70fcc9740d67
-logsource:
-    product: windows
-    category: registry_event
-detection:
-    dnsregmod: 
-        TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
-    condition: 1 of them
----
-id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
 logsource:
     category: process_creation
     product: windows
@@ -43,4 +25,14 @@ detection:
         CommandLine|contains|all: 
             - '/config'
             - '/serverlevelplugindll'
-    condition: 1 of them
+    condition: dnsadmin
+falsepositives:
+    - unknown
+level: high
+fields:
+    - EventID
+    - CommandLine
+    - ParentCommandLine
+    - Image
+    - User
+    - TargetObject

rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml

@@ -0,0 +1,37 @@
+title: Sticky Key Like Backdoor Usage
+id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
+related:
+    - id: baca5663-583c-45f9-b5dc-ea96a22ce542
+      type: derived
+description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
+    screen
+references:
+    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+tags:
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1015 # an old one
+    - attack.t1546.008
+    - car.2014-11-003
+    - car.2014-11-008
+author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
+date: 2018/03/15
+modified: 2021/09/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_process:
+        ParentImage|endswith: '\winlogon.exe'
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains:
+            - 'sethc.exe'
+            - 'utilman.exe'
+            - 'osk.exe'
+            - 'Magnify.exe'
+            - 'Narrator.exe'
+            - 'DisplaySwitch.exe'
+    condition: selection_process
+falsepositives:
+    - Unlikely
+level: critical

rules/windows/process_creation/process_creation_sysinternals_eula_accepted.yml

@@ -1,33 +1,26 @@
-action: global
 title: Usage of Sysinternals Tools
+id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
+related:
+    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
+      type: derived
 status: experimental
 description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
 references:
     - https://twitter.com/Moti_B/status/1008587936735035392
 date: 2017/08/28
+modified: 2021/09/12
 author: Markus Neis
-falsepositives:
-    - Legitimate use of SysInternals tools
-    - Programs that use the same Registry Key
-level: low
 tags:
     - attack.resource_development 
     - attack.t1588.002 
----
-id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
-logsource:
-    product: windows
-    category: registry_event
-detection:
-    selection1:
-        TargetObject|endswith: '\EulaAccepted'
-    condition: 1 of them
----
-id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection2:
+    selection:
         CommandLine|contains: ' -accepteula'
-    condition: 1 of them
+    condition: selection
+falsepositives:
+    - Legitimate use of SysInternals tools
+    - Programs that use the same Registry Key
+level: low

rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml

@@ -1,5 +1,8 @@
-action: global
 title: UAC Bypass via Event Viewer
+id: be344333-921d-4c4d-8bb8-e584cf584780
+related:
+    - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
+      type: derived  
 status: experimental
 description: Detects UAC bypass method using Windows event viewer
 references:
@@ -7,28 +10,13 @@ references:
     - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
 author: Florian Roth
 date: 2017/03/19
-modified: 2020/09/06
+modified: 2021/09/12
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1088 # an old one
     - attack.t1548.002
     - car.2019-04-001
-falsepositives:
-    - unknown
-level: critical
----
-id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
-logsource:
-    product: windows
-    category: registry_event
-detection:
-    methregistry:
-        TargetObject|startswith: 'HKU\'
-        TargetObject|endswith: '\mscfile\shell\open\command'
-    condition: methregistry
----
-id: be344333-921d-4c4d-8bb8-e584cf584780
 logsource:
     category: process_creation
     product: windows
@@ -41,3 +29,6 @@ detection:
 fields:
     - CommandLine
     - ParentCommandLine
+falsepositives:
+    - unknown
+level: critical

rules/windows/registry_event/registry_event_apt_pandemic.yml

@@ -1,5 +1,5 @@
-action: global
 title: Pandemic Registry Key
+id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
 status: experimental
 description: Detects Pandemic Windows Implant
 references:
@@ -10,31 +10,21 @@ tags:
     - attack.t1105
 author: Florian Roth
 date: 2017/06/01
+modified: 2021/09/12
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:        
+        TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical
 fields:
     - EventID
     - CommandLine
     - ParentCommandLine
     - Image
     - User
-    - TargetObject
-falsepositives:
-    - unknown
-level: critical
----
-id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
-logsource:
-    category: registry_event
-    product: windows
-detection:
-    selection1:        
-        TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
-    condition: 1 of them
----
-id: 9fefd33c-339d-4495-9cba-b96ca006f512
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection2:
-        CommandLine|contains: 'loaddll -a '
-    condition: 1 of them
+    - TargetObject

rules/windows/registry_event/registry_event_dns_serverlevelplugindll.yml

@@ -0,0 +1,32 @@
+title: DNS ServerLevelPluginDll Install
+id: e61e8a88-59a9-451c-874e-70fcc9740d67
+status: experimental
+description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
+    (restart required)
+references:
+    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+date: 2017/05/08
+modified: 2021/09/12
+author: Florian Roth
+tags:
+    - attack.defense_evasion
+    - attack.t1073 # an old one
+    - attack.t1574.002
+    - attack.t1112
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    dnsregmod: 
+        TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
+    condition: dnsregmod
+falsepositives:
+    - unknown
+level: high
+fields:
+    - EventID
+    - CommandLine
+    - ParentCommandLine
+    - Image
+    - User
+    - TargetObject

rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml

@@ -1,5 +1,5 @@
-action: global
 title: Sticky Key Like Backdoor Usage
+id: baca5663-583c-45f9-b5dc-ea96a22ce542
 description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
     screen
 references:
@@ -13,12 +13,7 @@ tags:
     - car.2014-11-008
 author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
 date: 2018/03/15
-modified: 2020/11/28
-falsepositives:
-    - Unlikely
-level: critical
----
-id: baca5663-583c-45f9-b5dc-ea96a22ce542
+modified: 2021/09/12
 logsource:
     category: registry_event
     product: windows
@@ -31,21 +26,7 @@ detection:
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
-    condition: 1 of them
----
-id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_process:
-        ParentImage|endswith: '\winlogon.exe'
-        Image|endswith: '\cmd.exe'
-        CommandLine|contains:
-            - 'sethc.exe'
-            - 'utilman.exe'
-            - 'osk.exe'
-            - 'Magnify.exe'
-            - 'Narrator.exe'
-            - 'DisplaySwitch.exe'
-    condition: 1 of them
+    condition: selection_registry
+falsepositives:
+    - Unlikely
+level: critical

rules/windows/registry_event/registry_event_sysinternals_eula_accepted.yml

@@ -0,0 +1,23 @@
+title: Usage of Sysinternals Tools
+id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
+status: experimental
+description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
+references:
+    - https://twitter.com/Moti_B/status/1008587936735035392
+date: 2017/08/28
+modified: 2021/09/12
+author: Markus Neis
+tags:
+    - attack.resource_development 
+    - attack.t1588.002 
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    selection:
+        TargetObject|endswith: '\EulaAccepted'
+    condition: selection
+falsepositives:
+    - Legitimate use of SysInternals tools
+    - Programs that use the same Registry Key
+level: low

rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml

@@ -0,0 +1,27 @@
+title: UAC Bypass via Event Viewer
+id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
+status: experimental
+description: Detects UAC bypass method using Windows event viewer
+references:
+    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
+    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
+author: Florian Roth
+date: 2017/03/19
+modified: 2021/09/12
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1088 # an old one
+    - attack.t1548.002
+    - car.2019-04-001
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    methregistry:
+        TargetObject|startswith: 'HKCU\'
+        TargetObject|endswith: '\mscfile\shell\open\command'
+    condition: methregistry
+falsepositives:
+    - unknown
+level: critical