CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
62b856efbb520f3ffefe3c2b55e9482df5cb99f6
hayabusa/rules/sigma/registry_event/sysmon_susp_service_installed.yml
T
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

48 lines
1.4 KiB
YAML
Raw Blame History

title: Suspicious Service Installed
ruletype: Sigma
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
description: Detects installation of NalDrv or PROCEXP152 services via registry-keys
to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),
which uses KDU (https://github.com/hfiref0x/KDU)
detection:
SELECTION_1:
EventID: 12
SELECTION_2:
EventID: 13
SELECTION_3:
EventID: 14
SELECTION_4:
TargetObject:
- HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath
- HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath
SELECTION_5:
Image:
- '*\procexp64.exe'
- '*\procexp.exe'
- '*\procmon64.exe'
- '*\procmon.exe'
SELECTION_6:
Details:
- '*\WINDOWS\system32\Drivers\PROCEXP152.SYS*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and not
(SELECTION_5)) and not (SELECTION_6))
falsepositives:
- Other legimate tools using this service names and drivers. Note - clever attackers
may easily bypass this detection by just renaming the services. Therefore just Medium-level
and don't rely on it.
id: f2485272-a156-4773-82d7-1d178bc4905b
level: medium
logsource:
category: registry_event
product: windows
modified: 2021/11/27
references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
status: test
tags:
- attack.t1089
- attack.t1562.001
- attack.defense_evasion
Reference in New Issue View Git Blame Copy Permalink