From 3930fcb44652861ad67d8625bedbc64ef64cc228 Mon Sep 17 00:00:00 2001 From: tccontre Date: Fri, 4 Oct 2024 10:17:08 +0200 Subject: [PATCH] fix_some_registry_detections_time --- .../endpoint/active_setup_registry_autostart.yml | 10 +++++----- .../add_defaultuser_and_password_in_registry.yml | 10 +++++----- ...llow_inbound_traffic_by_firewall_rule_registry.yml | 10 +++++----- .../endpoint/allow_operation_with_consent_admin.yml | 10 +++++----- .../endpoint/auto_admin_logon_registry_entry.yml | 10 +++++----- detections/endpoint/disable_amsi_through_registry.yml | 10 +++++----- .../endpoint/disable_defender_antivirus_registry.yml | 10 +++++----- .../disable_defender_blockatfirstseen_feature.yml | 10 +++++----- .../disable_defender_enhanced_notification.yml | 4 ++-- .../endpoint/disable_defender_mpengine_registry.yml | 10 +++++----- .../endpoint/disable_defender_spynet_reporting.yml | 10 +++++----- ...isable_defender_submit_samples_consent_feature.yml | 10 +++++----- detections/endpoint/disable_etw_through_registry.yml | 10 +++++----- detections/endpoint/disable_registry_tool.yml | 10 +++++----- .../disable_security_logs_using_minint_registry.yml | 10 +++++----- detections/endpoint/disable_show_hidden_files.yml | 10 +++++----- .../endpoint/disable_uac_remote_restriction.yml | 10 +++++----- detections/endpoint/disable_windows_app_hotkeys.yml | 10 +++++----- .../endpoint/disable_windows_behavior_monitoring.yml | 10 +++++----- .../disable_windows_smartscreen_protection.yml | 10 +++++----- detections/endpoint/disabling_cmd_application.yml | 10 +++++----- detections/endpoint/disabling_controlpanel.yml | 10 +++++----- detections/endpoint/disabling_defender_services.yml | 10 +++++----- .../disabling_folderoptions_windows_feature.yml | 10 +++++----- detections/endpoint/disabling_norun_windows_app.yml | 10 +++++----- .../endpoint/disabling_systemrestore_in_registry.yml | 10 +++++----- detections/endpoint/disabling_task_manager.yml | 10 +++++----- .../endpoint/enable_rdp_in_other_port_number.yml | 11 +++++------ .../enable_wdigest_uselogoncredential_registry.yml | 10 +++++----- detections/endpoint/etw_registry_disabled.yml | 10 +++++----- .../hide_user_account_from_sign_in_screen.yml | 10 +++++----- .../monitor_registry_keys_for_print_monitors.yml | 10 +++++----- .../registry_keys_for_creating_shim_databases.yml | 10 +++++----- .../registry_keys_used_for_privilege_escalation.yml | 10 +++++----- .../endpoint/time_provider_persistence_registry.yml | 10 +++++----- .../windows_defender_exclusion_registry_entry.yml | 10 +++++----- ...ndows_disable_change_password_through_registry.yml | 10 +++++----- ...able_lock_workstation_feature_through_registry.yml | 10 +++++----- ...windows_disable_logoff_button_through_registry.yml | 10 +++++----- .../endpoint/windows_disable_notification_center.yml | 10 +++++----- ...ndows_disable_shutdown_button_through_registry.yml | 10 +++++----- ...ws_hide_notification_features_through_registry.yml | 6 +++--- ...s_impair_defense_configure_app_install_control.yml | 8 ++++---- .../windows_impair_defense_disable_web_evaluation.yml | 8 ++++---- ...ows_impair_defense_override_smartscreen_prompt.yml | 6 +++--- .../windows_lsa_secrets_nolmhash_registry.yml | 8 ++++---- ...ndows_modify_registry_disable_restricted_admin.yml | 8 ++++---- ...indows_modify_registry_enablelinkedconnections.yml | 6 +++--- .../windows_modify_registry_longpathsenabled.yml | 8 ++++---- .../windows_modify_registry_nochangingwallpaper.yml | 8 ++++---- ...modify_registry_to_add_or_modify_firewall_rule.yml | 6 +++--- ...dify_show_compress_color_and_info_tip_registry.yml | 10 +++++----- .../windows_registry_bootexecute_modification.yml | 10 +++++----- .../endpoint/windows_registry_certificate_added.yml | 10 +++++----- .../endpoint/windows_registry_delete_task_sd.yml | 10 +++++----- ...egistry_modification_for_safe_mode_persistence.yml | 8 ++++---- .../windows_service_creation_using_registry_entry.yml | 10 +++++----- 57 files changed, 267 insertions(+), 268 deletions(-) diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 35414f35ac..a82afaee12 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -1,8 +1,8 @@ name: Active Setup Registry Autostart id: f64579c0-203f-11ec-abcc-acde48001122 -version: 5 -date: '2024-05-27' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects suspicious modifications to the Active @@ -16,9 +16,9 @@ description: The following analytic detects suspicious modifications to the Acti data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active - Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name + Setup\\Installed Components*") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`' diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 549e04b2db..d09fc404c7 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -1,8 +1,8 @@ name: Add DefaultUser And Password In Registry id: d4a3eb62-0f1e-11ec-a971-acde48001122 -version: 5 -date: '2024-05-28' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly description: The following analytic detects suspicious registry modifications that @@ -17,10 +17,10 @@ description: The following analytic detects suspicious registry modifications th data_source: - Sysmon EventID 13 - Sysmon EventID 14 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= - DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name + DefaultUserName) BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`' diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 7ad7cf43f9..673f623f87 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -1,8 +1,8 @@ name: Allow Inbound Traffic By Firewall Rule Registry id: 0a46537c-be02-11eb-92ca-acde48001122 -version: 6 -date: '2024-05-22' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects suspicious modifications to firewall rule @@ -16,10 +16,10 @@ description: The following analytic detects suspicious modifications to firewall data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = - "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY _time span=1h Registry.registry_path + "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`' diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index d8e68c1d61..bf3d120223 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -1,8 +1,8 @@ name: Allow Operation with Consent Admin id: 7de17d7a-c9d8-11eb-a812-acde48001122 -version: 5 -date: '2024-05-20' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects a registry modification that allows the @@ -17,10 +17,10 @@ description: The following analytic detects a registry modification that allows data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data - = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name + = "0x00000000") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`' diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index 45f2adea93..40e66a2882 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -1,8 +1,8 @@ name: Auto Admin Logon Registry Entry id: 1379d2b8-0f18-11ec-8ca3-acde48001122 -version: 5 -date: '2024-05-10' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects a suspicious registry modification that @@ -17,10 +17,10 @@ description: The following analytic detects a suspicious registry modification t data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`' diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index ef574c1785..b966f43a25 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -1,8 +1,8 @@ name: Disable AMSI Through Registry id: 9c27ec42-d338-11eb-9044-acde48001122 -version: 5 -date: '2024-05-29' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects modifications to the Windows registry @@ -17,9 +17,9 @@ description: The following analytic detects modifications to the Windows registr data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable" - Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000000") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index a0b2e38264..23c04e9d43 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -1,8 +1,8 @@ name: Disable Defender AntiVirus Registry id: aa4f695a-3024-11ec-9987-acde48001122 -version: 5 -date: '2024-05-28' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the modification of Windows Defender registry @@ -17,10 +17,10 @@ description: The following analytic detects the modification of Windows Defender data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`' diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 2fd43e341e..fbb32ced14 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -1,8 +1,8 @@ name: Disable Defender BlockAtFirstSeen Feature id: 2dd719ac-3021-11ec-97b4-acde48001122 -version: 5 -date: '2024-05-22' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP data_source: @@ -16,9 +16,9 @@ description: The following analytic detects the modification of the Windows regi files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name - = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h + = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml index 060054c957..ebead63673 100644 --- a/detections/endpoint/disable_defender_enhanced_notification.yml +++ b/detections/endpoint/disable_defender_enhanced_notification.yml @@ -1,8 +1,8 @@ name: Disable Defender Enhanced Notification id: dc65678c-301f-11ec-8e30-acde48001122 version: 4 -date: '2024-05-24' -author: Steven Dick, Teoderick Contreras, Splunk +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the modification of the registry to disable diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index f722cb1842..0e5fa9daee 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -1,8 +1,8 @@ name: Disable Defender MpEngine Registry id: cc391750-3024-11ec-955a-acde48001122 -version: 5 -date: '2024-05-21' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the modification of the Windows Defender @@ -16,10 +16,10 @@ description: The following analytic detects the modification of the Windows Defe data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`' diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index 05b46452a9..d92f688acf 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -1,8 +1,8 @@ name: Disable Defender Spynet Reporting id: 898debf4-3021-11ec-ba7c-acde48001122 -version: 5 -date: '2024-05-07' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the modification of the registry to disable @@ -16,9 +16,9 @@ description: The following analytic detects the modification of the registry to data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name - = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path + = SpynetReporting Registry.registry_value_data = 0x00000000) BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index d75edf1bfb..f6b4767261 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -1,8 +1,8 @@ name: Disable Defender Submit Samples Consent Feature id: 73922ff8-3022-11ec-bf5e-acde48001122 -version: 5 -date: '2024-05-14' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk,Steven Dick status: production type: TTP description: The following analytic detects the modification of the Windows registry @@ -16,9 +16,9 @@ description: The following analytic detects the modification of the Windows regi data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name - = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h + = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 4f8881e579..7d358f9b31 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -1,8 +1,8 @@ name: Disable ETW Through Registry id: f0eacfa4-d33f-11eb-8f9d-acde48001122 -version: 5 -date: '2024-05-24' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects modifications to the registry that disable @@ -16,9 +16,9 @@ description: The following analytic detects modifications to the registry that d data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" - Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.registry_path + Registry.registry_value_data = "0x00000000") BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`' diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 0af25ed655..ad1a5776cb 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -1,8 +1,8 @@ name: Disable Registry Tool id: cd2cf33c-9201-11eb-a10a-acde48001122 -version: 6 -date: '2024-05-14' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects modifications to the Windows registry @@ -17,9 +17,9 @@ description: The following analytic detects modifications to the Windows registr data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.user Registry.dest + Registry.registry_value_data = "0x00000001") BY Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`' diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index 7e7b26e8f2..4d5f6603e2 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -1,8 +1,8 @@ name: Disable Security Logs Using MiniNt Registry id: 39ebdc68-25b9-11ec-aec7-acde48001122 -version: 5 -date: '2024-05-29' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects a suspicious registry modification aimed @@ -16,8 +16,8 @@ description: The following analytic detects a suspicious registry modification a data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY _time span=1h Registry.user +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 9a64a34bc3..d9da2e1578 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -1,8 +1,8 @@ name: Disable Show Hidden Files id: 6f3ccfa2-91fe-11eb-8f9b-acde48001122 -version: 6 -date: '2024-05-27' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly description: The following analytic detects modifications to the Windows registry @@ -15,11 +15,11 @@ description: The following analytic detects modifications to the Windows registr data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" - Registry.registry_value_data = "0x00000000" )) BY _time span=1h Registry.user Registry.dest + Registry.registry_value_data = "0x00000000" )) BY Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`' diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index be01d67a03..df9a1ac0c1 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -1,8 +1,8 @@ name: Disable UAC Remote Restriction id: 9928b732-210e-11ec-b65e-acde48001122 -version: 5 -date: '2024-05-24' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the modification of the registry to disable @@ -16,9 +16,9 @@ description: The following analytic detects the modification of the registry to data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentVersion\\Policies\\System*" Registry.registry_value_name="LocalAccountTokenFilterPolicy" - Registry.registry_value_data="0x00000001" ) BY _time span=1h Registry.user Registry.dest + Registry.registry_value_data="0x00000001" ) BY Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`' diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index 85e4112bf5..6431783854 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -1,8 +1,8 @@ name: Disable Windows App Hotkeys id: 1490f224-ad8b-11eb-8c4f-acde48001122 -version: 5 -date: '2024-05-11' -author: Steven Dick, Teoderick Contreras, Splunkk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects a suspicious registry modification aimed @@ -15,10 +15,10 @@ description: The following analytic detects a suspicious registry modification a data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" AND Registry.registry_value_data= "HotKey Disabled" AND Registry.registry_value_name - = "Debugger") BY _time span=1h Registry.dest Registry.user Registry.registry_path + = "Debugger") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`' diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 6c8d9b60f5..50f79e76b5 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,8 +1,8 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 7 -date: '2024-07-23' -author: Steven Dick, Teoderick Contreras, Splunk +version: 8 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic identifies modifications in the registry to disable @@ -15,7 +15,7 @@ description: The following analytic identifies modifications in the registry to data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" OR Registry.registry_path= @@ -24,7 +24,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint Protection\\DisableRealtimeMonitoring" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIOAVProtection" OR Registry.registry_path= "*\\Real-Time Protection\\DisableScriptScanning" - AND Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest + AND Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index f4eac676b8..a8991f0762 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -1,8 +1,8 @@ name: Disable Windows SmartScreen Protection id: 664f0fd0-91ff-11eb-a56f-acde48001122 -version: 6 -date: '2024-05-26' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects modifications to the Windows registry @@ -17,10 +17,10 @@ description: The following analytic detects modifications to the Windows registr data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled", "*\\Microsoft\\Windows\\System\\EnableSmartScreen") Registry.registry_value_data IN - ("Off", "0") BY _time span=1h Registry.dest Registry.user Registry.registry_path + ("Off", "0") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`' diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 6dee1757b5..2d2d5dc215 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -1,8 +1,8 @@ name: Disabling CMD Application id: ff86077c-9212-11eb-a1e6-acde48001122 -version: 6 -date: '2024-05-16' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects modifications to the registry that disable @@ -16,9 +16,9 @@ description: The following analytic detects modifications to the registry that d data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`' diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 19c156b161..c0428c949d 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -1,8 +1,8 @@ name: Disabling ControlPanel id: 6ae0148e-9215-11eb-a94a-acde48001122 -version: 6 -date: '2024-05-18' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects registry modifications that disable the @@ -17,9 +17,9 @@ description: The following analytic detects registry modifications that disable data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`' diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 2b6483c299..5cd104decf 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -1,8 +1,8 @@ name: Disabling Defender Services id: 911eacdc-317f-11ec-ad30-acde48001122 -version: 5 -date: '2024-05-19' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the disabling of Windows Defender services @@ -16,11 +16,11 @@ description: The following analytic detects the disabling of Windows Defender se data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" AND (Registry.registry_path IN("*WdBoot*", "*WdFilter*", "*WdNisDrv*", "*WdNisSvc*","*WinDefend*", "*SecurityHealthService*")) AND Registry.registry_value_name = Start Registry.registry_value_data - = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path + = 0x00000004) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`' diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 22f362cb21..86c1863a70 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -1,8 +1,8 @@ name: Disabling FolderOptions Windows Feature id: 83776de4-921a-11eb-868a-acde48001122 -version: 6 -date: '2024-05-11' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the modification of the Windows registry @@ -17,9 +17,9 @@ description: The following analytic detects the modification of the Windows regi data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`' diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index 2654bf65a0..bceda2a37e 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -1,8 +1,8 @@ name: Disabling NoRun Windows App id: de81bc46-9213-11eb-adc9-acde48001122 -version: 6 -date: '2024-05-13' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the modification of the Windows registry @@ -15,9 +15,9 @@ description: The following analytic detects the modification of the Windows regi data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`' diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index a3cc1f29a0..74bd7b7f07 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -1,8 +1,8 @@ name: Disabling SystemRestore In Registry id: f4f837e2-91fb-11eb-8bf6-acde48001122 -version: 6 -date: '2024-05-22' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the modification of registry keys to disable @@ -16,12 +16,12 @@ description: The following analytic detects the modification of registry keys to data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`' diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index 382f4a93e3..b2375dc018 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -1,8 +1,8 @@ name: Disabling Task Manager id: dac279bc-9202-11eb-b7fb-acde48001122 -version: 6 -date: '2024-05-15' -author: Steven Dick, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic identifies modifications to the Windows registry @@ -16,9 +16,9 @@ description: The following analytic identifies modifications to the Windows regi data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`' diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index 29c3736edc..331a3e8fd1 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -1,8 +1,8 @@ name: Enable RDP In Other Port Number id: 99495452-b899-11eb-96dc-acde48001122 -version: 5 -date: '2024-05-29' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects modifications to the registry that enable @@ -16,10 +16,9 @@ description: The following analytic detects modifications to the registry that e data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal - Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY _time - span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`' diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index d32c39f50f..9e35fa0f02 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -1,8 +1,8 @@ name: Enable WDigest UseLogonCredential Registry id: 0c7d8ffe-25b1-11ec-9f39-acde48001122 -version: 5 -date: '2024-05-12' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects a suspicious registry modification that @@ -16,10 +16,10 @@ description: The following analytic detects a suspicious registry modification t data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\*" Registry.registry_value_name = "UseLogonCredential" Registry.registry_value_data=0x00000001) - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`' diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index 1dd5816a6e..93bb6e13d5 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -1,8 +1,8 @@ name: ETW Registry Disabled id: 8ed523ac-276b-11ec-ac39-acde48001122 -version: 5 -date: '2024-05-10' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects a registry modification that disables @@ -16,9 +16,9 @@ description: The following analytic detects a registry modification that disable data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_name - = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest + = ETWEnabled Registry.registry_value_data=0x00000000) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index d5316561c5..6913e10d26 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -1,8 +1,8 @@ name: Hide User Account From Sign-In Screen id: 834ba832-ad89-11eb-937d-acde48001122 -version: 5 -date: '2024-05-17' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects a suspicious registry modification that @@ -16,9 +16,9 @@ description: The following analytic detects a suspicious registry modification t data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" - AND Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest + AND Registry.registry_value_data = "0x00000000") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index ea1a640407..b7e45df751 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -1,8 +1,8 @@ name: Monitor Registry Keys for Print Monitors id: f5f6af30-7ba7-4295-bfe9-07de87c01bbc -version: 6 -date: '2024-05-29' -author: Steven Dick, Bhavin Patel, Teoderick Contreras, Splunk +version: 7 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP description: The following analytic detects modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. @@ -15,9 +15,9 @@ description: The following analytic detects modifications to the registry key `H data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*") - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`' diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index 8fcb18edc5..7bf7a5587a 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -1,8 +1,8 @@ name: Registry Keys for Creating SHIM Databases id: f5f6af30-7aa7-4295-bfe9-07fe87c01bbb -version: 7 -date: '2024-05-17' -author: Steven Dick, Bhavin Patel, Patrick Bareiss, Teoderick Contreras, Splunk +version: 8 +date: '2024-10-04' +author: Patrick Bareiss, Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP description: The following analytic detects registry activity related to the creation @@ -16,9 +16,9 @@ description: The following analytic detects registry activity related to the cre data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*) - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`' diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index f040e11561..f997174e4e 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -1,8 +1,8 @@ name: Registry Keys Used For Privilege Escalation id: c9f4b923-f8af-4155-b697-1354f5bcbc5e -version: 8 -date: '2024-05-18' -author: Steven Dick, David Dorsey, Teoderick Contreras, Splunk +version: 9 +date: '2024-10-04' +author: David Dorsey, Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects modifications to registry keys under "Image @@ -16,10 +16,10 @@ description: The following analytic detects modifications to registry keys under data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`' diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 08637f9b05..139b88c817 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -1,8 +1,8 @@ name: Time Provider Persistence Registry id: 5ba382c4-2105-11ec-8d8f-acde48001122 -version: 5 -date: '2024-05-13' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects suspicious modifications to the time provider @@ -16,9 +16,9 @@ description: The following analytic detects suspicious modifications to the time data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentControlSet\\Services\\W32Time\\TimeProviders*") - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`' diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index 0caa33d2ad..0b700326a4 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -1,8 +1,8 @@ name: Windows Defender Exclusion Registry Entry id: 13395a44-4dd9-11ec-9df7-acde48001122 -version: 5 -date: '2024-09-24' -author: Steven Dick, Teoderick Contreras, Splunk +version: 6 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects modifications to the Windows Defender @@ -15,9 +15,9 @@ description: The following analytic detects modifications to the Windows Defende data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*") - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`' diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index 76ee500f88..9b95637c00 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -1,8 +1,8 @@ name: Windows Disable Change Password Through Registry id: 0df33e1a-9ef6-11ec-a1ad-acde48001122 -version: 4 -date: '2024-05-19' -author: Steven Dick, Teoderick Contreras, Splunk +version: 5 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly description: The following analytic detects a suspicious registry modification that @@ -17,9 +17,9 @@ description: The following analytic detects a suspicious registry modification t data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.registry_path + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`' diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index b74c266c1f..3646214f9a 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -1,8 +1,8 @@ name: Windows Disable Lock Workstation Feature Through Registry id: c82adbc6-9f00-11ec-a81f-acde48001122 -version: 4 -date: '2024-05-25' -author: Steven Dick, Teoderick Contreras, Splunk +version: 5 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly description: The following analytic detects a suspicious registry modification that @@ -17,9 +17,9 @@ description: The following analytic detects a suspicious registry modification t data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`' diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index c1fb076d93..0b7d672db0 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -1,8 +1,8 @@ name: Windows Disable LogOff Button Through Registry id: b2fb6830-9ed1-11ec-9fcb-acde48001122 -version: 4 -date: '2024-05-30' -author: Steven Dick, Teoderick Contreras, Splunk +version: 5 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly description: The following analytic detects a suspicious registry modification that @@ -16,10 +16,10 @@ description: The following analytic detects a suspicious registry modification t data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("NoLogOff", "StartMenuLogOff") Registry.registry_value_data - = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path + = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`' diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index d0cdee55a5..c7269ed4c0 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -1,8 +1,8 @@ name: Windows Disable Notification Center id: 1cd983c8-8fd6-11ec-a09d-acde48001122 -version: 4 -date: '2024-05-28' -author: Steven Dick, Teoderick Contreras, Splunk +version: 5 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly description: The following analytic detects the modification of the Windows registry @@ -15,9 +15,9 @@ description: The following analytic detects the modification of the Windows regi data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "DisableNotificationCenter" Registry.registry_value_data - = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path + = "0x00000001") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`' diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index e81ee734ce..dc9b1a53de 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -1,8 +1,8 @@ name: Windows Disable Shutdown Button Through Registry id: 55fb2958-9ecd-11ec-a06a-acde48001122 -version: 4 -date: '2024-05-19' -author: Steven Dick, Teoderick Contreras, Splunk +version: 5 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly description: The following analytic detects suspicious registry modifications that @@ -16,10 +16,10 @@ description: The following analytic detects suspicious registry modifications th data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" Registry.registry_value_data = "0x00000000") OR (Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" - Registry.registry_value_data = "0x00000001")) BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = "0x00000001")) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`' diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index 71c42cefd0..078bee8041 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -1,8 +1,8 @@ name: Windows Hide Notification Features Through Registry id: cafa4bce-9f06-11ec-a7b2-acde48001122 -version: 4 +version: 5 date: '2024-05-26' -author: Steven Dick, Teoderick Contreras, Splunk +author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly description: The following analytic detects suspicious registry modifications aimed @@ -15,7 +15,7 @@ description: The following analytic detects suspicious registry modifications ai data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("HideClock", "HideSCAHealth", "HideSCANetwork", "HideSCAPower", "HideSCAVolume") Registry.registry_value_data = "0x00000001") BY diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml index 39802aae08..9a7bd50015 100644 --- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml +++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Configure App Install Control id: c54b7439-cfb1-44c3-bb35-b0409553077c -version: 2 -date: '2024-05-22' +version: 3 +date: '2024-10-04' author: Teoderick Contreras, Splunk status: production type: TTP @@ -16,11 +16,11 @@ description: The following analytic detects modifications to the Windows registr increasing the risk of security vulnerabilities. If confirmed malicious, this action could lead to the installation of harmful applications, potentially compromising the system and exposing sensitive information. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControl" Registry.registry_value_data= "Anywhere") OR (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControlEnabled" Registry.registry_value_data= - "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path + "0x00000000") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_configure_app_install_control_filter`' diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml index 8b4b40941b..bd88ec9d03 100644 --- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml +++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Web Evaluation id: e234970c-dcf5-4f80-b6a9-3a562544ca5b -version: 2 -date: '2024-05-27' +version: 3 +date: '2024-10-04' author: Teoderick Contreras, Splunk status: production type: TTP @@ -16,9 +16,9 @@ description: The following analytic detects modifications to the Windows registr malicious web content to bypass security checks. If confirmed malicious, this could lead to users interacting with harmful scripts or unsafe web elements, increasing the risk of system exploitation and security breaches. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation" Registry.registry_value_data= - "0x00000000" BY _time span=1h Registry.dest Registry.user Registry.registry_path + "0x00000000" BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_web_evaluation_filter`' diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml index 1eaf1df99c..df8ac10af8 100644 --- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml +++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Override SmartScreen Prompt id: 08058866-7987-486f-b042-275715ef6e9d version: 2 -date: '2024-05-31' +date: '2024-10-04' author: Teoderick Contreras, Splunk status: production type: TTP @@ -16,9 +16,9 @@ description: The following analytic detects modifications to the Windows registr users to bypass security warnings. If confirmed malicious, this could lead to users inadvertently executing or accessing harmful content, increasing the risk of security incidents or system compromises. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Microsoft\\Edge\\PreventSmartScreenPromptOverride" - Registry.registry_value_data= "0x00000000" BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data= "0x00000000" BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_override_smartscreen_prompt_filter`' diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml index e63a6b0aae..b7f11b438b 100644 --- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml +++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml @@ -1,7 +1,7 @@ name: Windows LSA Secrets NoLMhash Registry id: 48cc1605-538c-4223-8382-e36bee5b540d -version: 2 -date: '2024-05-24' +version: 3 +date: '2024-10-04' author: Teoderick Contreras, Splunk status: production type: TTP @@ -16,9 +16,9 @@ description: The following analytic detects modifications to the Windows registr is crucial as it can indicate attempts to weaken password storage security. If confirmed malicious, this could allow attackers to exploit weaker LM hashes, potentially leading to unauthorized access and credential theft. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" - Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = 0x00000000) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lsa_secrets_nolmhash_registry_filter`' diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml index 649ccc3627..51e66bb407 100644 --- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml +++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Restricted Admin id: cee573a0-7587-48e6-ae99-10e8c657e89a -version: 2 -date: '2024-05-31' +version: 3 +date: '2024-10-04' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,9 +15,9 @@ description: The following analytic detects modifications to the Windows registr can disable a security feature that limits credential exposure during remote connections. If confirmed malicious, an attacker could weaken security controls, increasing the risk of credential theft and unauthorized access to sensitive systems. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" - Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user + Registry.registry_value_data = 0x00000000) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter`' diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml index 49e5c60bf6..ada4c0c315 100644 --- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml +++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry EnableLinkedConnections id: 93048164-3358-4af0-8680-aa5f38440516 -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-10-04' author: Teoderick Contreras, Splunk status: production type: TTP @@ -17,7 +17,7 @@ description: The following analytic detects a suspicious modification to the Win administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml index be3d23dcb8..f3bd04f5de 100644 --- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml +++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry LongPathsEnabled id: 36f9626c-4272-4808-aadd-267acce681c0 -version: 2 -date: '2024-05-21' +version: 3 +date: '2024-10-04' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -16,9 +16,9 @@ description: The following analytic detects a modification to the Windows regist path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_value_data = "0x00000001") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter`' diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml index 0004e9f3de..d6c2cea4e3 100644 --- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml +++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry NoChangingWallPaper id: a2276412-e254-4e9a-9082-4d92edb6a3e0 -version: 2 -date: '2024-05-30' +version: 3 +date: '2024-10-04' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,9 +15,9 @@ description: The following analytic detects modifications to the Windows registr to enforce a malicious wallpaper, thereby limiting user control over system settings. If confirmed malicious, this registry change could indicate a ransomware infection, leading to further system compromise and user disruption. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper" - Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data = 1) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_nochangingwallpaper_filter`' diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index 7aecc13f3f..39f77cb369 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -1,6 +1,6 @@ name: Windows Modify Registry to Add or Modify Firewall Rule id: 43254751-e2ce-409a-b6b4-4f851e8dcc26 -version: 1 +version: 2 date: '2024-06-21' author: Teoderick Contreras, Splunk data_source: @@ -14,9 +14,9 @@ description: The following analytic detects a potential addition or modification netsh advfirewall firewall add rule and netsh advfirewall firewall set rule, which may indicate attempts to alter network access controls. Monitoring these actions ensures the integrity of firewall settings and helps prevent unauthorized network access. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.action = modified - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user Registry.action + BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index 80738ab935..e0b8288f4c 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -1,8 +1,8 @@ name: Windows Modify Show Compress Color And Info Tip Registry id: b7548c2e-9a10-11ec-99e3-acde48001122 -version: 4 -date: '2024-05-27' -author: Steven Dick, Teoderick Contreras, Splunk +version: 5 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects suspicious modifications to the Windows @@ -16,9 +16,9 @@ description: The following analytic detects suspicious modifications to the Wind data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*" - AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip")) BY _time span=1h + AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip")) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index 546d7f54b7..4949f9888a 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -1,8 +1,8 @@ name: Windows Registry BootExecute Modification id: eabbac3a-45aa-4659-920f-6b8cff383fb8 -version: 2 -date: '2024-05-29' -author: Michael Haag, Splunk +version: 3 +date: '2024-10-04' +author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP data_source: @@ -16,9 +16,9 @@ description: The following analytic detects modifications to the BootExecute reg to achieve persistence, load malicious code, or tamper with the boot process. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="HKLM\\System\\CurrentControlSet\\Control\\Session - Manager\\BootExecute" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name + Manager\\BootExecute" BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`' diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml index 1166aab216..48078366c6 100644 --- a/detections/endpoint/windows_registry_certificate_added.yml +++ b/detections/endpoint/windows_registry_certificate_added.yml @@ -1,8 +1,8 @@ name: Windows Registry Certificate Added id: 5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87 -version: 3 -date: '2024-05-29' -author: Michael Haag, Splunk +version: 4 +date: '2024-10-04' +author: Michael Haag, Teodeerick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the installation of a root CA certificate @@ -16,9 +16,9 @@ description: The following analytic detects the installation of a root CA certif data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\certificates\\*") AND Registry.registry_value_name="Blob" - by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`' diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index 2b76652237..82ea5cc84c 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -1,8 +1,8 @@ name: Windows Registry Delete Task SD id: ffeb7893-ff06-446f-815b-33ca73224e92 -version: 2 -date: '2024-05-12' -author: Michael Haag, Splunk +version: 3 +date: '2024-10-04' +author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects a process attempting to delete a scheduled @@ -16,10 +16,10 @@ description: The following analytic detects a process attempting to delete a sch data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*") Registry.user="SYSTEM" Registry.registry_value_name="SD" (Registry.action=Deleted OR Registry.action=modified) - by _time Registry.dest Registry.process_guid Registry.user Registry.registry_path + by Registry.dest Registry.process_guid Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter`' diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml index 8f49937bed..3630727133 100644 --- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml +++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml @@ -1,7 +1,7 @@ name: Windows Registry Modification for Safe Mode Persistence id: c6149154-c9d8-11eb-9da7-acde48001122 -version: 5 -date: '2024-05-20' +version: 6 +date: '2024-10-04' author: Teoderick Contreras, Michael Haag, Splunk status: production type: TTP @@ -16,9 +16,9 @@ description: The following analytic identifies modifications to the SafeBoot reg data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\*","*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\*") - by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter`' diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 3815ab0278..e19d692fbf 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,8 +1,8 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 4 -date: '2024-05-30' -author: Steven Dick, Teoderick Contreras, Splunk +version: 5 +date: '2024-10-04' +author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP description: The following analytic detects the modification of registry keys that @@ -15,9 +15,9 @@ description: The following analytic detects the modification of registry keys th data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" Registry.registry_value_name - = ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path + = ImagePath) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`'