Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.


The following is the uberAgent-ESA-am-vastlimits.conf configuration file that ships with uberAgent. It contains activity monitoring rules curated by vast limits for use with uberAgent ESA.

# This is the configuration file for uberAgent that contains the ESA process tagging definitions.
# It is only required if uberAgent ESA is enabled.
# Place it in the same directory as uberAgent.exe.

# Process.Start rules

[AddActivityMonitoringExpression name=ParentIsMsOffice]
Query = istartswith(Parent.Company, "Microsoft") and Parent.Name in ["excel.exe", "msaccess.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "winword.exe"]

[AddActivityMonitoringExpression name=ProcessIsMsOffice]
Query = istartswith(Process.Company, "Microsoft") and Process.Name in ["excel.exe", "msaccess.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "winword.exe"]

[AddActivityMonitoringExpression name=ProcessIsBrowser]
Query = Process.Name in ["chrome.exe", "iexplore.exe", "firefox.exe", "msedge.exe", "opera.exe"]

[AddActivityMonitoringExpression name=ProcessIsPowerShell]
Query = Process.Name in ["powershell.exe", "pwsh.exe"]

[AddActivityMonitoringExpression name=DLLIsMAPI]
Query = Image.Name in ["mapi32.dll", "msmapi32.dll"] or (istartswith(Image.Name, "Microsoft.Office.Interop.Outlook") and iendswith(Image.Name, ".dll"))

[AddActivityMonitoringExpression name=TargetIsPrivateNetworkIP]
Query = istartswith(Net.Target.Ip, "127.") or istartswith(Net.Target.Ip, "192.") or istartswith(Net.Target.Ip, "172.") or istartswith(Net.Target.Ip, "10.") or istartswith(Net.Target.Ip, "fe80") or istartswith(Net.Target.Ip, "fc00") or istartswith(Net.Target.Ip, "fd00")

[AddActivityMonitoringExpression name=ProcessIsKnownRDPSoftware]
Query = Process.Name in ["mstsc.exe", "RTSApp.exe", "RTSApp2.exe", "RDCMan.exe", "ws_tunnelservice.exe", "RSSensor.exe", "RemoteDesktopManagerFree.exe", "RemoteDesktopManager.exe", "RemoteDesktopManager64.exe", "mRemoteNG.exe", "mRemote.exe", "Terminals.exe", "spiceworks-finder.exe", "FSDiscovery.exe", "FSAssessment.exe", "MobaRTE.exe", "chrome.exe", "thor.exe", "thor64.exe", "RoyalTS.exe"]

[AddActivityMonitoringExpression name=ProcessPathIsSystem32]
Query = regex_match_path(Process.Path, r"^%SystemRoot%\\System32\\.*$")

[AddActivityMonitoringExpression name=ProcessPathIsSysWOW64]
Query = regex_match_path(Process.Path, r"^%SystemRoot%\\SysWOW64\\.*$")

[AddActivityMonitoringExpression name=ProcessPathIsSystemDirectory]
Query = ProcessPathIsSystem32 or ProcessPathIsSysWOW64

RuleName = Detect process starts from directories with a low mandatory integrity label
EventType = Process.Start
# MIC label format in the SDDL string: (ML;OICIID;;;;LW)
Tag = proc-start-dir-low-integrity
Query = regex_match(Process.DirectorySdSddl, r"\(ML;.*?;.*?;.*?;.*?;LW;?.*?\)")

RuleName = Detect processes started from directories that are user-writeable
EventType = Process.Start
Tag = proc-start-dir-user-writeable
Query = Process.DirectoryUserWriteable == true

RuleName = Detect script child processes of Microsoft Office applications
EventType = Process.Start
Tag = proc-start-msoffice-child
RiskScore = 100
Query = ParentIsMsOffice and (Process.Name in ["cmd.exe", "cscript.exe", "wscript.exe", "ftp.exe"] or ProcessIsPowerShell)

RuleName = Detect child processes of Microsoft Office applications
EventType = Process.Start
Tag = proc-start-msoffice-child
Query = ParentIsMsOffice and not ProcessIsBrowser and Process.Name != "onenotem.exe" and Process.Name != "winword.exe"

RuleName = Detect child processes of the WMI service
EventType = Process.Start
Tag = proc-start-wmiservice-child
Query = Parent.Name == "wmiprvse.exe"

RuleName = Detect child processes of Adobe Acrobat Reader
# Source:
EventType = Process.Start
Tag = proc-start-adobereader-child
Query = Parent.Name == "acrord32.exe" and Process.Name not in ["RdrCEF.exe", "acrord32.exe", "AdobeARM.exe"]

RuleName = Detect child processes (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-child
Query = Parent.Name in ["bash.exe", "bitsadmin.exe", "diskshadow.exe", "forfiles.exe", "ftp.exe", "hh.exe", "ieexec.exe", "Microsoft.Workflow.Compiler.exe", "msconfig.exe", "pcalua.exe", "pcwrun.exe", "rundll32.exe", "scriptrunner.exe", "wmic.exe", "Appvlp.exe", "cdb.exe", "devtoolslauncher.exe", "dnx.exe", "dxcap.exe", "mftrace.exe", "msdeploy.exe", "Sqlps.exe", "SQLToolsPS.exe", "te.exe", "update.exe", "vsjitdebugger.exe", "wsl.exe", "squirrel.exe"]

RuleName = Detect DLL load (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-dll-load
Query = Process.Name == "dnscmd.exe" and regex_match(Process.CommandLine, r"[\/|-]serverlevelplugindll.*\\\\.*\.dll")

RuleName = Detect DLL load (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-dll-load
Query = Process.Name == "MavInject.exe" and regex_match(Process.CommandLine, r"[\/|-]INJECTRUNNING")

RuleName = Detect starts from non-default locations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-other-location
Query = not ProcessPathIsSystemDirectory and Process.Name in ["ie4uinit.exe", "cscript.exe", "wsscript.exe", "cmd.exe"]

RuleName = Detect compile and execute (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-compile-and-exec
Query = lower(Process.Name) == "msbuild.exe" and (icontains(Process.CommandLine, ".csproj") or icontains(Process.CommandLine, ".xml"))

RuleName = Detect sct execute (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-sct-exec
Query = Process.Name == "regsvr32.exe" and regex_match(Process.CommandLine, r"\.sct.*scrobj\.dll")

RuleName = Detect proxy execution (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-proxy-exec
Query = Process.Name == "reg.exe" and regex_match(Process.CommandLine, r"import.*\.reg.*&.*winrm.*quickconfig")

RuleName = Detect event viewer UAC bypass (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-uac-bypass
Query = Parent.Name == "eventvwr.exe" and Process.Name != "mmc.exe"

RuleName = Detect wsreset UAC bypass (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-uac-bypass
Query = Parent.Name == "wsreset.exe" and Process.Name != "conhost.exe"

RuleName = Detect jsc compile (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-compile
Query = Process.Name == "jsc.exe" and Process.CommandLine like "%.js"

RuleName = Detect csc compile (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-compile
Query = Process.Name == "csc.exe" and (regex_match(Process.CommandLine, r"[\/|-]out:.*.exe.*.cs") or regex_match(Process.CommandLine, r"[\/|-]target:library.*.cs"))

RuleName = Detect execution from alternate data streams (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-alternate-data-streams
Query = Process.Name in ["Certutil.exe", "Cmd.exe", "Control.exe", "Cscript.exe", "Esentutl.exe", "Expand.exe", "Extract32.exe", "Findstr.exe", "Makecab.exe", "Mavinject.exe", "Mshta.exe", "Print.exe", "Reg.exe", "Regedit.exe", "Sc.exe", "Wmic.exe", "Wscript.exe"] and regex_match(Process.CommandLine, r"\w:\w")

RuleName = Detect AWL bypass (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-awl-bypass
Query = Process.Name == "rundll32.exe" and (regex_match(Process.CommandLine, r"dfshim.dll.*,.*ShOpenVerbApplication") or regex_match(Process.CommandLine, r"advpack.dll.*,.*LaunchINFSection") or regex_match(Process.CommandLine, r"ieadvpack.dll.*,.*LaunchINFSection") or regex_match(Process.CommandLine, r"setupapi.dll.*,.*InstallHinfSection") or regex_match(Process.CommandLine, r"syssetup.dll.*,.*SetupInfObjectInstallAction"))

RuleName = Detect encode and decode operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-encode-decode
Query = Process.Name == "certutil.exe" and (regex_match(Process.CommandLine, r"[\/|-]encode") or regex_match(Process.CommandLine, r"[\/|-]decode"))

RuleName = Detect esentutl.exe copy operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-copy
Query = Process.Name == "esentutl.exe" and (regex_match(Process.CommandLine, r"(?=.*[\/|-]y)(?=.*[\/|-]d)(?=.*[\/|-]o)") or regex_match(Process.CommandLine, r"(?=.*[\/|-]y)(?=.*[\/|-]d)(?=.*[\/|-]vss)"))

RuleName = Detect expand.exe copy operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-copy
Query = Process.Name == "expand.exe" and regex_match(Process.CommandLine, r"\S+\s+\S+")

RuleName = Detect print.exe copy operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-copy
Query = Process.Name == "print.exe" and regex_match(Process.CommandLine, r"[\/|-]D:\S+\s+\S+")

RuleName = Detect replace.exe copy operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-copy
Query = Process.Name == "replace.exe" and regex_match(Process.CommandLine, r"[\/|-]A")

RuleName = Detect certutil.exe download operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "certutil.exe" and (regex_match(Process.CommandLine, r"(?=.*[\/|-]urlcache)(?=.*[\/|-]split)(?=.*[\/|-]f)") or regex_match(Process.CommandLine, r"(?=.*[\/|-]verifyctl)(?=.*[\/|-]split)(?=.*[\/|-]f)"))

RuleName = Detect extrac32.exe download operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "extrac32.exe" and regex_match(Process.CommandLine, r"(?=.*[\/|-]y)(?=.*[\/|-]c)")

RuleName = Detect findstr.exe download operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "findstr.exe" and regex_match(Process.CommandLine, r"(?=.*[\/|-]v)(?=.*[\/|-]l)(?=.*>)")

RuleName = Detect makecab.exe download operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "makecab.exe" and regex_match(Process.CommandLine, r"\S+\s+\S+")

RuleName = Detect squirrel.exe download operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "squirrel.exe" and regex_match(Process.CommandLine, r"--download")

RuleName = Detect update.exe download operations (LOLBAS)
# Source:
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "update.exe" and regex_match(Process.CommandLine, r"--download")

RuleName = Detect Microsoft Office download operations (LOLBAS)
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = ParentIsMsOffice and regex_match(Process.CommandLine, r"(http|https)")

# Net.Send, Net.Receive, Net.Connect, Net.Reconnect, Net.Retransmit rules

RuleName = Suspicious target names
# Source:
EventType = Net.Connect
Tag = net-connect-suspicious-target-names
RiskScore = 75
Query = regex_match_path(Process.Path, r"^%SystemRoot%") and (regex_match(Net.Target.Name, r"dl\.dropboxusercontent\.com") or regex_match(Net.Target.Name, r"\.pastebin\.com") or regex_match(Net.Target.Name, r"\.githubusercontent\.com") or regex_match(Net.Target.Name, r"\.github\.com"))

RuleName = PowerShell outbound network connections
EventType = Net.Connect
Tag = net-connect-outbound-powershell-network
Query = ProcessIsPowerShell and not TargetIsPrivateNetworkIP and regex_match(Process.User, r"^NT AUTHORITY\\SYSTEM$")

RuleName = Suspicious outbound Kerberos connections
# Source:
EventType = Net.Connect
Tag = net-connect-outbound-kerberos
RiskScore = 75
Query = not ProcessIsBrowser and not TargetIsPrivateNetworkIP and Net.Target.Port == 88

RuleName = PowerShell remoting
EventType = Net.Connect
Tag = net-connect-powershell-remoting
Query = ProcessIsPowerShell and Net.Target.Port in [5985, 5986] and not regex_match(Process.User, r"^NT AUTHORITY\\NETWORK SERVICE$")

RuleName = Detect network connects from suspicious sources
EventType = Net.Connect
Tag = net-connect-suspicious-sources
Query = regex_match(Process.Path, r"^C:\\Users") or regex_match_path(Process.Path, r"^%ALLUSERSPROFILE%") or regex_match_path(Process.Path, r"^%ProgramData%") or regex_match_path(Process.Path, r"^%SystemRoot%\\Temp") or regex_match(Process.Path, r"$Recycle.bin$") or regex_match_path(Process.Path, r"^%Systemdrive%:\\Perflogs") or regex_match(Process.Path, r"config\\systemprofile") or regex_match_path(Process.Path, r"^%SystemRoot%\\Fonts") or regex_match_path(Process.Path, r"^%SystemRoot%\\IME") or regex_match_path(Process.Path, r"^%SystemRoot%\\addins")

RuleName = Detect network connects from Windows processes
EventType = Net.Connect
Query = ProcessIsPowerShell or Process.Name in ["at.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "driverquery.exe", "dsquery.exe", "hh.exe", "infDefaultInstall.exe", "mmc.exe", "msbuild.exe", "mshta.exe", "msiexec.exe", "nbtstat.exe", "net.exe", "net1.exe", "notepad.exe", "nslookup.exe", "qprocess.exe", "qwinsta.exe", "qwinsta.exe", "reg.exe", "regsvcs.exe", "regsvr32.exe", "rundll32.exe", "rwinsta.exe", "sc.exe", "schtasks.exe", "taskkill.exe", "tasklist.exe", "wmic.exe", "wscript.exe"]
Tag = net-connect-Windows-processes

RuleName = Detect network connects from third-party tools
EventType = Net.Connect
Tag = net-connect-third-party-processes
Query = Process.Name in ["java.exe", "javaw.exe", "javaws.exe", "nc.exe", "ncat.exe", "psexec.exe", "psexesvc.exe", "tor.exe", "vnc.exe", "vncservice.exe", "vncviewer.exe", "winexesvc.exe", "nmap.exe", "psinfo.exe"]

RuleName = RDP connects from non-RDP software indicating lateral movement
# Source:
EventType = Net.Connect
Tag = net-connect-suspicious-RDP-connects
Query = not ProcessIsKnownRDPSoftware and Net.Target.Port == 3389

RuleName = Detect network connects to suspicious ports
EventType = Net.Connect
Tag = net-connect-suspicious-ports
Query = Net.Target.Port in [ /* SSH */ 22, /* Telnet */ 23, /* SMTP */ 25, /* IMAP */ 142, /* VNC */ 5800, 5900, /* Socks proxy */ 1080, 3128, 8080, /* Tor */ 1723, 4500, 9001, 9030]

RuleName = Detect network connects to 80 and 443 from non-browser applications
EventType = Net.Connect
Tag = net-connect-80-443-non-browser
RiskScore = 25
Query = not ProcessIsBrowser and not TargetIsPrivateNetworkIP and Net.Target.Port in [80, 443]

# Registry rules

# Each event type and hive has to be enabled below before usage is possible later on

RuleName = Enable HKLM key monitoring for Reg.Key.Create. Uncomment stanza to enable.
EventType = Reg.Key.Create
Hive = HKLM
Query = false
Tag = enable-HKLM-Reg.Key.Create
RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.Create. Uncomment stanza to enable.
#EventType = Reg.Key.Create
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.Create
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.Create. Uncomment stanza to enable.
#EventType = Reg.Key.Create
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.Create
#RiskScore = 0

RuleName = Enable HKLM key monitoring for Reg.Value.Write. Uncomment stanza to enable.
EventType = Reg.Value.Write
Hive = HKLM
Query = false
Tag = enable-HKLM-Reg.Value.Write
RiskScore = 0

RuleName = Enable HKU key monitoring for Reg.Value.Write. Uncomment stanza to enable.
EventType = Reg.Value.Write
Hive = HKU
Query = false
Tag = enable-HKU-Reg.Value.Write
RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Value.Write. Uncomment stanza to enable.
#EventType = Reg.Value.Write
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Value.Write
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Delete. Uncomment stanza to enable.
#EventType = Reg.Delete
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Delete
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Delete. Uncomment stanza to enable.
#EventType = Reg.Delete
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Delete
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Delete. Uncomment stanza to enable.
#EventType = Reg.Delete
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Delete
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Key.Delete. Uncomment stanza to enable.
#EventType = Reg.Key.Delete
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Key.Delete
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.Delete. Uncomment stanza to enable.
#EventType = Reg.Key.Delete
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.Delete
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.Delete. Uncomment stanza to enable.
#EventType = Reg.Key.Delete
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.Delete
#RiskScore = 0

RuleName = Enable HKLM key monitoring for Reg.Value.Delete. Uncomment stanza to enable.
EventType = Reg.Value.Delete
Hive = HKLM
Query = false
Tag = enable-HKLM-Reg.Value.Delete
RiskScore = 0

RuleName = Enable HKU key monitoring for Reg.Value.Delete. Uncomment stanza to enable.
EventType = Reg.Value.Delete
Hive = HKU
Query = false
Tag = enable-HKU-Reg.Value.Delete
RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Value.Delete. Uncomment stanza to enable.
#EventType = Reg.Value.Delete
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Value.Delete
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Key.SecurityChange. Uncomment stanza to enable.
#EventType = Reg.Key.SecurityChange
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Key.SecurityChange
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.SecurityChange. Uncomment stanza to enable.
#EventType = Reg.Key.SecurityChange
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.SecurityChange
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.SecurityChange. Uncomment stanza to enable.
#EventType = Key.SecurityChange
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.SecurityChange
#RiskScore = 0

RuleName = Enable HKLM key monitoring for Reg.Key.Rename. Uncomment stanza to enable.
EventType = Reg.Key.Rename
Hive = HKLM
Query = false
Tag = enable-HKLM-Reg.Key.Rename
RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.Rename. Uncomment stanza to enable.
#EventType = Reg.Key.Rename
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.Rename
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.Rename. Uncomment stanza to enable.
#EventType = Key.Rename
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.Rename
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Key.SetInformation. Uncomment stanza to enable.
#EventType = Reg.Key.SetInformation
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Key.SetInformation
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.SetInformation. Uncomment stanza to enable.
#EventType = Reg.Key.SetInformation
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.SetInformation
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.SetInformation. Uncomment stanza to enable.
#EventType = Reg.Key.SetInformation
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.SetInformation
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Key.Load. Uncomment stanza to enable.
#EventType = Reg.Key.Load
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Key.Load
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.Load. Uncomment stanza to enable.
#EventType = Reg.Key.Load
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.Load
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.Load. Uncomment stanza to enable.
#EventType = Reg.Key.Load
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.Load
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Key.Unload. Uncomment stanza to enable.
#EventType = Reg.Key.Unload
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Key.Unload
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.Unload. Uncomment stanza to enable.
#EventType = Reg.Key.Unload
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.Unload
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.Unload. Uncomment stanza to enable.
#EventType = Reg.Key.Unload
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.Unload
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Key.Save. Uncomment stanza to enable.
#EventType = Reg.Key.Save
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Key.Save
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.Save. Uncomment stanza to enable.
#EventType = Reg.Key.Save
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.Save
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.Save. Uncomment stanza to enable.
#EventType = Reg.Key.Save
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.Save
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Key.Restore. Uncomment stanza to enable.
#EventType = Reg.Key.Restore
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Key.Restore
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.Restore. Uncomment stanza to enable.
#EventType = Reg.Key.Restore
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.Restore
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.Restore. Uncomment stanza to enable.
#EventType = Reg.Key.Restore
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.Restore
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Key.Replace. Uncomment stanza to enable.
#EventType = Reg.Key.Replace
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Key.Replace
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Key.Replace. Uncomment stanza to enable.
#EventType = Reg.Key.Replace
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Key.Replace
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Key.Replace. Uncomment stanza to enable.
#EventType = Reg.Key.Replace
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Key.Replace
#RiskScore = 0

#RuleName = Enable HKLM key monitoring for Reg.Any. Uncomment stanza to enable.
#EventType = Reg.Any
#Hive = HKLM
#Query = false
#Tag = enable-HKLM-Reg.Any
#RiskScore = 0

#RuleName = Enable HKU key monitoring for Reg.Any. Uncomment stanza to enable.
#EventType = Reg.Any
#Hive = HKU
#Query = false
#Tag = enable-HKU-Reg.Any
#RiskScore = 0

#RuleName = Enable APP key monitoring for Reg.Any. Uncomment stanza to enable.
#EventType = Reg.Any
#Hive = APP
#Query = false
#Tag = enable-APP-Reg.Any
#RiskScore = 0

# Below are the actual rules. Remember to enable each event type and hive above before adding rules.

RuleName = Detect AuthRoot, CA and Root certificate changes per machine
# Source =
EventType = Reg.Value.Write
Query = regex_match_path(Reg.Key.Path, r"^HKLM\\Software(\\Policies)*\\Microsoft\\(EnterpriseCertificates|SystemCertificates)\\(AuthRoot|CA|Root)\\Certificates\\.+") AND Reg.Value.Name == "Blob"
Tag = reg-value-write-cert-change-per-machine
RiskScore = 100

RuleName = Detect AuthRoot, CA and Root certificate changes per user
# Source =
EventType = Reg.Value.Write
Query = regex_match_path(Reg.Key.Path, r"^HKU\\S-.*\\Software(\\Policies)*\\Microsoft\\SystemCertificates\\(AuthRoot|CA|Root)\\Certificates\\.+") AND Reg.Value.Name == "Blob"
Tag = reg-value-write-cert-change-per-user
RiskScore = 100

RuleName = Detect service creation via registry
EventType = Reg.Key.Create
Query = Reg.Parent.Key.Path like r"HKLM\\SYSTEM\\%ControlSet%\\Services" and Process.Name != "services.exe"
Tag = reg-key-create-service

RuleName = Detect registry changes to Office macro settings
EventType = Reg.Value.Write
Query = Reg.Key.Path like r"%\\Security\\Trusted Documents\\TrustRecords" or Reg.Key.Path like r"%\\Security\\AccessVBOM" or Reg.Key.Path like r"%\\Security\\VBAWarnings"
Tag = reg-value-write-office-macro-settings
RiskScore = 100

RuleName = Detect registry deletes to Office macro settings
EventType = Reg.Value.Delete
Query = Reg.Key.Path like r"%\\Security\\Trusted Documents\\TrustRecords" or Reg.Key.Path like r"%\\Security\\AccessVBOM" or Reg.Key.Path like r"%\\Security\\VBAWarnings"
Tag = reg-value-delete-office-macro-settings
RiskScore = 100

RuleName = Detect registry changes to autostart extensibility point (ASEP)
EventType = Reg.Value.Write
Query = Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Run" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders"
Tag = reg-value-write-autostart

RuleName = Detect registry deletes to autostart extensibility point (ASEP)
EventType = Reg.Value.Delete
Query = Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Run" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders"
Tag = reg-value-delete-autostart

RuleName = Detect potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections
EventType = Reg.Value.Write
Query = (Reg.Key.Path like r"%\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\%" and Reg.Value.Name == "UserAuthentication") or ((Reg.Key.Path like r"%\\CurrentControlSet\\Control\\Terminal Server" and Reg.Value.Name == "fDenyTSConnections"))
Tag = reg-value-write-enable-remote-connections
RiskScore = 100

RuleName = Detect creation or execution of UserInitMprLogonScript persistence method
EventType = Reg.Value.Write
Query = Reg.Key.Path like r"%\\Environment" and Reg.Value.Name == "UserInitMprLogonScript"
Tag = reg-value-write-userinitmprlogonscript-persistence
RiskScore = 25

RuleName = Detect disabling security eventlog on create
EventType = Reg.Key.Create
Query = Reg.Key.Path like r"%SYSTEM\\%ControlSet%\\Control\\MiniNt"
Tag = reg-key-create-disable-security-eventlog
RiskScore = 100

RuleName = Detect disabling security eventlog on rename
EventType = Reg.Key.Rename
Query = Reg.Key.Path.New like r"%SYSTEM\\%ControlSet%\\Control\\MiniNt"
Tag = reg-key-rename-disable-security-eventlog
RiskScore = 100


Your email address will not be published. Required fields are marked *