SigmaHQ/rules/windows/process_creation/win_control_panel_item.yml
2020-10-15 17:47:25 -03:00

38 lines
1.1 KiB
YAML

title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: experimental
description: Detects the malicious use of a control panel item
reference:
- https://attack.mitre.org/techniques/T1196/
- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218.002
- attack.t1196 # an old one
- attack.persistence
- attack.t1546
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020/06/22
modified: 2020/08/29
level: critical
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|endswith: '.cpl'
filter:
CommandLine|contains:
- '\System32\\'
- '%System%'
selection2:
CommandLine|contains:
- 'reg add'
selection3:
CommandLine|contains:
- 'CurrentVersion\\Control Panel\\CPLs'
condition: (selection1 and not filter) or (selection2 and selection3)
falsepositives:
- Unknown