SigmaHQ/rules/windows/process_creation/win_susp_disable_ie_features.yml
2020-06-19 09:53:35 +02:00

31 lines
991 B
YAML

title: Disabled IE Security Features
id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
status: experimental
description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
references:
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
tags:
- attack.t1089
author: Florian Roth
date: 2020/06/19
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- ' -name IEHarden '
- ' -value 0 '
selection2:
CommandLine|contains|all:
- ' -name DEPOff '
- ' -value 1 '
selection3:
CommandLine|contains|all:
- ' -name DisableFirstRunCustomize '
- ' -value 2 '
condition: 1 of them
falsepositives:
- Unknown, maybe some security software installer disables these features temporarily
level: high