valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #892 from rtkbkish/registry-event-fixes

Browse Source 
Fixes for rules in new sysmon registry_event category
This commit is contained in:
Florian Roth 2020-07-05 13:12:04 +02:00 committed by GitHub
commit facd578324
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
View File

@ -15,8 +15,7 @@ logsource:
product: windows
detection:
selection:
- EventID: 12 # key create
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
EventType: 'CreateKey' # we don't want deletekey
- # key rename

7
rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
View File

@ -17,12 +17,9 @@ logsource:
product: windows
detection:
selection:
- EventID:
- 12 # key create
- 13 # value set
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
- # key rename
- # key rename
NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
condition: selection
fields: