valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #78 from Karneades/patch-1

Browse Source 
Add rule for Windows registry persistence mechanisms
This commit is contained in:
Florian Roth 2018-04-11 19:35:55 +02:00 committed by GitHub
commit ef7fb4cff1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
rules/windows/other/win_reg_persistence.yaml Normal file
View File

@ -0,0 +1,21 @@
title: Registry Persistence Mechanisms
description: Detects persistence registry keys
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
date: 2018/04/11
author: Karneades
logsource:
product: windows
service: sysmon
detection:
selection_reg1:
EventID: 13
TargetObject:
- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\GlobalFlag'
- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\ReportingMode'
- 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess'
EventType: 'SetValue'
condition: 1 of them
falsepositives:
- unknown
level: critical