38 lines
1.4 KiB
YAML
38 lines
1.4 KiB
YAML
title: Removal of Potential COM Hijacking Registry Keys
|
|
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
|
date: 2020/05/02
|
|
description: A General detection to trigger for processes removing .*\shell\open\command
|
|
registry keys. Registry keys that might have been used for COM hijacking activities.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 12
|
|
SELECTION_2:
|
|
EventID: 13
|
|
SELECTION_3:
|
|
EventID: 14
|
|
SELECTION_4:
|
|
EventType: DeleteKey
|
|
SELECTION_5:
|
|
TargetObject: '*\shell\open\command'
|
|
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
|
|
falsepositives:
|
|
- unknown
|
|
id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
|
|
level: medium
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
references:
|
|
- https://github.com/OTRF/detection-hackathon-apt29/issues/7
|
|
- https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html
|
|
- https://docs.microsoft.com/en-us/windows/win32/shell/launch
|
|
- https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
|
|
- https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1112
|
|
yml_filename: sysmon_removal_com_hijacking_registry_key.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
|
|
|