valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
SigmaHQ/wazuh/rules/sigma_win_query_registry.yml
joker2013 50379800f2 123
2020-12-03 01:43:30 +03:00

16 lines
813 B
YAML
Raw Permalink Blame History

alert:
- debug
description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
filter:
- query:
query_string:
query: (data.win.eventdata.image.keyword:*\\reg.exe AND data.win.eventdata.commandLine.keyword:(*query* OR *save* OR *export*) AND data.win.eventdata.commandLine.keyword:(*currentVersion\\windows* OR *currentVersion\\runServicesOnce* OR *currentVersion\\runServices* OR *winlogon\\* OR *currentVersion\\shellServiceObjectDelayLoad* OR *currentVersion\\runOnce* OR *currentVersion\\runOnceEx* OR *currentVersion\\run* OR *currentVersion\\policies\\explorer\\run* OR *currentcontrolset\\services*))
index: wazuh-alerts-3.x-*
name: 970007b7-ce32-49d0-a4a4-fbef016950bd_0
priority: 4
realert:
minutes: 0
type: any
Reference in New Issue View Git Blame Copy Permalink