search

ManderVoronwe / soc-g3

1 stars 0 forks source link

Ajout d'une clé Run / RunOnce #4

Open tidalwaave opened 11 months ago

tidalwaave commented 11 months ago

Splunk Query

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `registry_keys_used_for_persistence_filter`

Alert Priority :

LOW

Source

https://research.splunk.com/endpoint/f5f6af30-7aa7-4295-bfe9-07fe87c01a4b/

tidalwaave commented 11 months ago

SUR UN DC : HIGH

PAS SUR UN DC : Medium

tidalwaave commented 11 months ago

Base rule : 

index=* source="WinEventLog:Sysmon" sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" 
(EventCode=12 OR EventCode=13 OR EventCode=14) 
(TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*" 
OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*" 
OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runservices\\*" 
OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runservicesonce\\*" 
OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" 
OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*")
tidalwaave commented 11 months ago

SUR UN DC : 

index=* source="WinEventLog:Sysmon" 
sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" 
(EventCode=12 OR EventCode=13)   
(TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runservices\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runservicesonce\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*") 
ComputerName="DC01.reynholm.inc"
tidalwaave commented 11 months ago

PAS SUR UN DC :

index=* source="WinEventLog:Sysmon" 
sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" 
(EventCode=12 OR EventCode=13)   
(TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runservices\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runservicesonce\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*"   OR TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*") 
ComputerName!="DC01.reynholm.inc"
tidalwaave commented 11 months ago

https://www.cyborgsecurity.com/cyborg-labs/hunting-for-persistence-registry-run-keys-startup-folder/

tidalwaave commented 11 months ago

Ajouté sur le DC

tidalwaave commented 11 months ago

Ajoutée hors DC