Closed DefSecSentinel closed 2 years ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.
Description
This detection looks at suspect changes being made within the HKEY_USERS hive of the registry specifically within a users SID_Classes subkey where the process could be used to execute code against the registry and the registry key value upon change is an empty string. This rule was created following analysis of a new version of a known strain of malware that implements this technique for executing malicious obfuscated Powershell in the registry. This query was ran against Windows data dating back 90 days and detected no false positives. That doesn't mean they don't exist.
Required Info
Target indexes
logs-*, winlogbeat-*
Additional requirements
This detection will match on both Elastic endpoint file events and Symon file creation events.
Target Operating Systems
Windows
Platforms
Tested ECS Version
7.14.0
Optional Info
Query
New fields required in ECS/data sources for this rule?
Related issues or PRs
References