Closed Ptylu closed 2 years ago
Thanks again for this submission (and the others)! We should finally have a chance to review and merge them in the next week, apologies for the delay.
Hello Ivan,
You're welcome! No problem, I have other detections to share (I was waiting for the first reviews), tell me whether I can improve my submission to simplify your reviews !
@Ptylu This one looks great! My only suggestion would be updating the analytic to also include Sysmon EID 1 events (EventCode=1
), since Windows 4688 doesn't typically include command lines (CommandLine
) by default. I think it would simply be (for Splunk):
(source="WinEventLog:*" EventLog="Security" (((EventCode="4688" OR EventCode="1")((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) ("0" OR "*00000000") CommandLine="*SafeDllSearchMode*") OR (EventCode="4657" ObjectValueName="SafeDllSearchMode" NewValue="0")))
What do you think?
Hello @ikiril01 , yes you right, I modified the 4 pull requests with the Sysmon EventID 1.
@Ptylu perfect, thanks!
One more thing - since we've added Sysmon for process creation (EID 1), we should also add the corresponding registry manipulation event. In this case, it would just be updating the last clause to:
((EventCode="4657" ObjectValueName="SafeDllSearchMode" NewValue="0") OR (EventCode="13" EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)"))
Thanks!
Hi @ikiril01 , I improved my sigma file, so the searches are bit different. I also added the sysmon 13 as requested. If it's Ok for you I will modify the 3 others pull requests.
@Ptylu yup, that looks good! I'll merge this one now and will do the rest once they're updated.
-finished- Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order and adversaries may execute their own malicious dll.