SigmaHQ/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml
2021-02-26 17:48:50 +01:00

25 lines
905 B
YAML

title: SilentProcessExit Monitor Registrytion
id: c81fe886-cac0-4913-a511-2822d72ff505
description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
author: Florian Roth
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
date: 2021/02/26
tags:
- attack.persistence
- attack.t1546.012
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
Details|contains: 'MonitorProcess'
EventType:
- SetValue
- CreateValue
condition: selection
falsepositives:
- Unknown
level: high