Merge pull request #1179 from SanWieb/OSCD_regedit_3

[OSCD] regedit.exe LOLbas 72 [3]

rules/windows/process_creation/win_regedit_export_critical_keys.yml

@@ -0,0 +1,35 @@
+title: Exports Critical Registry Keys To a File
+id: 82880171-b475-4201-b811-e9c826cd5eaa
+status: experimental
+description: Detects the export of a crital Registry key to a file.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+    - attack.exfiltration
+    - attack.t1012
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\regedit.exe'
+        CommandLine|contains: ' /E '
+    selection_2:
+        CommandLine|contains:
+            - 'hklm'
+            - 'hkey_local_machine'
+    selection_3:
+        CommandLine|endswith:
+            - '\system'
+            - '\sam'
+            - '\security'
+    condition: selection and selection_2 and selection_3
+fields:
+    - ParentImage
+    - CommandLine
+falsepositives:
+        - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
+level: high

rules/windows/process_creation/win_regedit_export_keys.yml

@@ -0,0 +1,35 @@
+title: Exports Registry Key To a File
+id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
+status: experimental
+description: Detects the export of the target Registry key to a file.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+    - attack.exfiltration
+    - attack.t1012
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\regedit.exe'
+        CommandLine|contains: ' /E '
+    filter_1: # filters to avoid intersection with critical keys rule
+        CommandLine|contains:
+            - 'hklm'
+            - 'hkey_local_machine'
+    filter_2:
+        CommandLine|endswith:
+            - '\system'
+            - '\sam'
+            - '\security'
+    condition: selection and not (filter_1 and filter_2)
+fields:
+    - ParentImage
+    - CommandLine
+falsepositives:
+    - Legitimate export of keys
+level: low

rules/windows/process_creation/win_regedit_import_keys.yml

@@ -0,0 +1,35 @@
+title: Imports Registry Key From a File
+id: 73bba97f-a82d-42ce-b315-9182e76c57b1
+status: experimental
+description: Detects the import of the specified file to the registry with regedit.exe.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+    - attack.t1112
+    - attack.defense_evasion
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\regedit.exe'
+        CommandLine|contains:
+            - ' /i '
+            - '.reg'
+    filter:
+        CommandLine|contains:
+            - ' /e '
+            - ' /a '
+            - ' /c '
+    filter_2:
+        CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
+    condition: selection and not filter and not filter_2
+fields:
+    - ParentImage
+    - CommandLine
+falsepositives:
+    - Legitimate import of keys
+level: medium

rules/windows/process_creation/win_regedit_import_keys_ads.yml

@@ -0,0 +1,35 @@
+title: Imports Registry Key From an ADS
+id: 0b80ade5-6997-4b1d-99a1-71701778ea61
+status: experimental
+description: Detects the import of a alternate datastream to the registry with regedit.exe.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+    - attack.t1112
+    - attack.defense_evasion
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\regedit.exe'
+        CommandLine|contains:
+            - ' /i '
+            - '.reg'
+    selection_2:
+        CommandLine|re: ':[^ \\]'
+    filter:
+        CommandLine|contains:
+            - ' /e '
+            - ' /a '
+            - ' /c '
+    condition: selection and selection_2 and not filter
+fields:
+    - ParentImage
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high

rules/windows/sysmon/sysmon_regedit_export_to_ads.yml

@@ -0,0 +1,25 @@
+title: Exports Registry Key To an Alternate Data Stream
+id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
+status: experimental
+description: Exports the target Registry key and hides it in the specified alternate data stream.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 15
+        Image|endswith: '\regedit.exe'
+    condition: selection
+fields:
+    - TargetFilename
+falsepositives:
+    - Unknown
+level: high