42 lines
1.1 KiB
YAML
42 lines
1.1 KiB
YAML
|
|
title: Detected Windows Software Discovery
|
|
ruletype: Sigma
|
|
author: Nikita Nazarov, oscd.community
|
|
date: 2020/10/16
|
|
description: Adversaries may attempt to enumerate software for a variety of reasons,
|
|
such as figuring out what security measures are present or if the compromised system
|
|
has a version of software that is vulnerable.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Image: '*\reg.exe'
|
|
SELECTION_3:
|
|
CommandLine: '*query*'
|
|
SELECTION_4:
|
|
CommandLine: '*\software\\*'
|
|
SELECTION_5:
|
|
CommandLine: '*/v*'
|
|
SELECTION_6:
|
|
CommandLine: '*svcversion*'
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
|
|
and SELECTION_6)
|
|
falsepositives:
|
|
- Legitimate administration activities
|
|
id: e13f668e-7f95-443d-98d2-1816a7648a7b
|
|
level: medium
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/09/21
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
|
|
- https://github.com/harleyQu1nn/AggressorScripts
|
|
related:
|
|
- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
|
|
type: derived
|
|
status: experimental
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1518
|