From be3c27981fe2ef6ad302945f70a2b8290484892a Mon Sep 17 00:00:00 2001 From: Karneades Date: Wed, 11 Apr 2018 15:13:00 +0200 Subject: [PATCH 1/3] Add rule for Windows registry persistence mechanisms --- rules/windows/other/win_reg_persistence.yaml | 25 ++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/other/win_reg_persistence.yaml diff --git a/rules/windows/other/win_reg_persistence.yaml b/rules/windows/other/win_reg_persistence.yaml new file mode 100644 index 00000000..e1ed8c48 --- /dev/null +++ b/rules/windows/other/win_reg_persistence.yaml @@ -0,0 +1,25 @@ +--- +action: global +title: Registry Persistence Mechanisms +description: Detects persistence registry keys +references: + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ +date: 2018/04/11 +author: @Karneades +detection: + condition: 1 of them +falsepositives: + - none +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection_reg1: + EventID: 13 + TargetObject: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\GlobalFlag' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\ReportingMode' + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess' + EventType: 'SetValue' From fa6677a41d69f3c45c0b92917b5cc50b93eba651 Mon Sep 17 00:00:00 2001 From: Karneades Date: Wed, 11 Apr 2018 15:21:42 +0200 Subject: [PATCH 2/3] Remove @ in author Be nice to Travis: "error syntax error: found character '@' that cannot start any token" --- rules/windows/other/win_reg_persistence.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_reg_persistence.yaml b/rules/windows/other/win_reg_persistence.yaml index e1ed8c48..93580083 100644 --- a/rules/windows/other/win_reg_persistence.yaml +++ b/rules/windows/other/win_reg_persistence.yaml @@ -5,7 +5,7 @@ description: Detects persistence registry keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11 -author: @Karneades +author: Karneades detection: condition: 1 of them falsepositives: From b065c2c35c765d9e875b9828cb4644ae136ee8b8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 11 Apr 2018 19:03:35 +0200 Subject: [PATCH 3/3] Simplified rule --- rules/windows/other/win_reg_persistence.yaml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/rules/windows/other/win_reg_persistence.yaml b/rules/windows/other/win_reg_persistence.yaml index 93580083..c74c8291 100644 --- a/rules/windows/other/win_reg_persistence.yaml +++ b/rules/windows/other/win_reg_persistence.yaml @@ -1,17 +1,9 @@ ---- -action: global title: Registry Persistence Mechanisms description: Detects persistence registry keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11 author: Karneades -detection: - condition: 1 of them -falsepositives: - - none -level: critical ---- logsource: product: windows service: sysmon @@ -23,3 +15,7 @@ detection: - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\ReportingMode' - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess' EventType: 'SetValue' + condition: 1 of them +falsepositives: + - unknown +level: critical