-
Notifications
You must be signed in to change notification settings - Fork 466
/
Copy patha9b05c3b-b304-4bf9-970d-acdfaef2944c.json
61 lines (61 loc) · 3.03 KB
/
a9b05c3b-b304-4bf9-970d-acdfaef2944c.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
{
"attributes": {
"author": [
"Elastic"
],
"description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).",
"from": "now-9m",
"index": [
"logs-endpoint.events.*",
"winlogbeat-*",
"logs-windows.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Persistence via Hidden Run Key Detected",
"query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n",
"references": [
"https://github.com/outflanknl/SharpHide",
"https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"
],
"risk_score": 73,
"rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c",
"severity": "high",
"tags": [
"Elastic",
"Host",
"Windows",
"Threat Detection",
"Persistence"
],
"threat": [
{
"framework": "MITRE ATT\u0026CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"reference": "https://attack.mitre.org/techniques/T1547/",
"subtechnique": [
{
"id": "T1547.001",
"name": "Registry Run Keys / Startup Folder",
"reference": "https://attack.mitre.org/techniques/T1547/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 4
},
"id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c",
"type": "security-rule"
}