Open Mahir-Ali-khan opened 1 month ago
Detects the modification of registry values DefaultUserName,DefaultPassword and AutoAdminLogon to enable automatic logon. Attacker use this technique to achieve persistence.
Process Create: RuleName: - UtcTime: 2024-10-16 11:02:12.493 ProcessGuid: {c419c85b-9d34-670f-8328-000000004700} ProcessId: 12348 Image: C:\Windows\System32\reg.exe FileVersion: 10.0.22621.1 (WinBuild.160101.0800) Description: Registry Console Tool Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: reg.exe CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f CurrentDirectory: C:\Users\user\ User: XXXXXXXXXX\XXXXXXXX LogonGuid: {c419c85b-9d89-670c-8fed-187f00000000} LogonId: 0xF17ED8F TerminalSessionId: 2 IntegrityLevel: Medium Hashes: MD5=CDB58D0BCABE76AFC60428F364834463,SHA256=411AE446FE37B30C0727888C7FA5E88994A46DAFD41AA5B3B06C9E884549AFDE,IMPHASH=1085BD82B37A225F6D356012D2E69C3D ParentProcessGuid: {c419c85b-8ebb-670f-4827-000000004700} ParentProcessId: 21116 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\WINDOWS\system32\cmd.exe" ParentUser: XXXXXXXXXX\XXXXXXXX
Summary of the Pull Request
Detects the modification of registry values DefaultUserName,DefaultPassword and AutoAdminLogon to enable automatic logon. Attacker use this technique to achieve persistence.
Changelog
Example Log Event
Process Create: RuleName: - UtcTime: 2024-10-16 11:02:12.493 ProcessGuid: {c419c85b-9d34-670f-8328-000000004700} ProcessId: 12348 Image: C:\Windows\System32\reg.exe FileVersion: 10.0.22621.1 (WinBuild.160101.0800) Description: Registry Console Tool Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: reg.exe CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f CurrentDirectory: C:\Users\user\ User: XXXXXXXXXX\XXXXXXXX LogonGuid: {c419c85b-9d89-670c-8fed-187f00000000} LogonId: 0xF17ED8F TerminalSessionId: 2 IntegrityLevel: Medium Hashes: MD5=CDB58D0BCABE76AFC60428F364834463,SHA256=411AE446FE37B30C0727888C7FA5E88994A46DAFD41AA5B3B06C9E884549AFDE,IMPHASH=1085BD82B37A225F6D356012D2E69C3D ParentProcessGuid: {c419c85b-8ebb-670f-4827-000000004700} ParentProcessId: 21116 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\WINDOWS\system32\cmd.exe" ParentUser: XXXXXXXXXX\XXXXXXXX
Fixed Issues
SigmaHQ Rule Creation Conventions