Skip to content

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes#1775

Merged
w0rk3r merged 2 commits intomainfrom
sysmon_registry
Feb 15, 2022
Merged

[Rule Tuning] Sysmon Registry-based Rules Review & Fixes#1775
w0rk3r merged 2 commits intomainfrom
sysmon_registry

Conversation

@w0rk3r
Copy link
Copy Markdown
Contributor

@w0rk3r w0rk3r commented Feb 15, 2022

Summary

Resolves #1766
Resolves #1761

Changes:

  • Drops support for sysmon in registry-based rules that look for values other than QWORD & DWORD (Integration Issue, will update once the issue is open)
  • Add HKU version of HKEY_USER keys in supported rules
  • Fix minor syntax errors and lack of wildcards to be compatible with both sysmon and endpoint

@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint labels Feb 15, 2022
@w0rk3r w0rk3r self-assigned this Feb 15, 2022
w0rk3r
w0rk3r commented Feb 15, 2022
View reviewed changes
rules/windows/defense_evasion_hide_encoded_executable_registry.toml
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is only parsing DWORD and QWORD registry values, so registry.data.strings will always be null here. Dropping Support

rules/windows/defense_evasion_sip_provider_mod.toml
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is only parsing DWORD and QWORD registry values, so registry.data.strings will always be null here. Dropping Support

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is only parsing DWORD and QWORD registry values, so registry.data.strings will always be null here. Dropping Support

rules/windows/lateral_movement_rdp_sharprdp_target.toml
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is only parsing DWORD and QWORD registry values, so registry.data.strings will always be null here. Dropping Support

rules/windows/persistence_evasion_registry_ifeo_injection.toml
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is only parsing DWORD and QWORD registry values, so registry.data.strings will always be null here. Dropping Support

rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is only parsing DWORD and QWORD registry values, so registry.data.strings will always be null here. Dropping Support

rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml
registry where event.type in ("creation", "change") and
registry.path : ("HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
"HLLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*") and
"HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*") and
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo

rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is only parsing DWORD and QWORD registry values, so registry.data.strings will always be null here. Dropping Support

rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is only parsing DWORD and QWORD registry values, so registry.data.strings will always be null here. Dropping Support

rules/windows/privilege_escalation_rogue_windir_environment_var.toml
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is only parsing DWORD and QWORD registry values, so registry.data.strings will always be null here. Dropping Support

@w0rk3r w0rk3r changed the title [Rule Tuning] Sysmon Rules Review & Fixes [Rule Tuning] Sysmon Registry-based Rules Review & Fixes Feb 15, 2022
brokensound77
brokensound77 approved these changes Feb 15, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 LGTM

Samirbous
Samirbous approved these changes Feb 15, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@Samirbous Samirbous left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! 💯

@w0rk3r w0rk3r merged commit 9bbe26f into main Feb 15, 2022
@w0rk3r w0rk3r deleted the sysmon_registry branch February 15, 2022 12:56
protectionsmachine pushed a commit that referenced this pull request Feb 15, 2022
@w0rk3r @github-actions
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
eedcbed 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml

(cherry picked from commit 9bbe26f)
protectionsmachine pushed a commit that referenced this pull request Feb 15, 2022
@w0rk3r @github-actions
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
a6fd007 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml

(cherry picked from commit 9bbe26f)
protectionsmachine pushed a commit that referenced this pull request Feb 15, 2022
@w0rk3r @github-actions
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
f8f36db 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml

(cherry picked from commit 9bbe26f)
protectionsmachine pushed a commit that referenced this pull request Feb 15, 2022
@w0rk3r @github-actions
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
49e9273 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml

(cherry picked from commit 9bbe26f)
protectionsmachine pushed a commit that referenced this pull request Feb 15, 2022
@w0rk3r @github-actions
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
fd3d270 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml

(cherry picked from commit 9bbe26f)
protectionsmachine pushed a commit that referenced this pull request Feb 15, 2022
@w0rk3r @github-actions
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes (#1775)
47202c2 
* Initial Review of Sysmon Registry Rules

* Update defense_evasion_sip_provider_mod.toml

(cherry picked from commit 9bbe26f)
@w0rk3r w0rk3r mentioned this pull request Mar 22, 2022
Closed
@w0rk3r w0rk3r mentioned this pull request May 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Samirbous Samirbous Samirbous approved these changes

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

+1 more reviewer

@brokensound77 brokensound77 brokensound77 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@w0rk3r w0rk3r

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Milestone

No milestone

3 participants

@w0rk3r @brokensound77 @Samirbous