mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
25 lines
905 B
YAML
25 lines
905 B
YAML
title: SilentProcessExit Monitor Registrytion
|
|
id: c81fe886-cac0-4913-a511-2822d72ff505
|
|
description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
|
|
author: Florian Roth
|
|
references:
|
|
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
|
|
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
|
|
date: 2021/02/26
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1546.012
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
|
|
Details|contains: 'MonitorProcess'
|
|
EventType:
|
|
- SetValue
|
|
- CreateValue
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high |