35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
title: Run Once Task Configuration in Registry
|
|
author: Avneet Singh @v3t0_, oscd.community
|
|
date: 2020/11/15
|
|
description: Rule to detect the configuration of Run Once registry key. Configured
|
|
payload can be run by runonce.exe /AlternateShellStartup
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 12
|
|
SELECTION_2:
|
|
EventID: 13
|
|
SELECTION_3:
|
|
EventID: 14
|
|
SELECTION_4:
|
|
TargetObject: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components*
|
|
SELECTION_5:
|
|
TargetObject: '*\StubPath'
|
|
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
|
|
falsepositives:
|
|
- Legitimate modification of the registry key by legitimate program
|
|
id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
|
|
level: medium
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
references:
|
|
- https://twitter.com/pabraeken/status/990717080805789697
|
|
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1112
|
|
yml_filename: sysmon_runonce_persistence.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
|
|
|