Documentation

Contents
Contents
Contents
Contents

uberAgent-ESA-am-vastlimits.conf

The following is the uberAgent-ESA-am-vastlimits.conf configuration file that ships with uberAgent. It contains activity monitoring rules curated by vast limits for use with uberAgent ESA.

#
# This is the configuration file for uberAgent that contains the ESA process tagging definitions.
# It is only required if uberAgent ESA is enabled.
# Place it in the same directory as uberAgent.exe.
#

############################################
#
# Process.Start rules
#
############################################

[AddActivityMonitoringExpression name=ParentIsMsOffice]
Query = istartswith(Parent.Company, "Microsoft") and Parent.Name in ["excel.exe", "msaccess.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "winword.exe"]

[AddActivityMonitoringExpression name=ProcessIsMsOffice]
Query = istartswith(Process.Company, "Microsoft") and Process.Name in ["excel.exe", "msaccess.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "winword.exe"]

[AddActivityMonitoringExpression name=ProcessIsBrowser]
Query = Process.Name in ["chrome.exe", "iexplore.exe", "firefox.exe", "msedge.exe", "opera.exe"]

[AddActivityMonitoringExpression name=ProcessIsPowerShell]
Query = Process.Name in ["powershell.exe", "pwsh.exe"]

[AddActivityMonitoringExpression name=DLLIsMAPI]
Query = Image.Name in ["mapi32.dll", "msmapi32.dll"] or (istartswith(Image.Name, "Microsoft.Office.Interop.Outlook") and iendswith(Image.Name, ".dll"))

[AddActivityMonitoringExpression name=TargetIsPrivateNetworkIP]
Query = istartswith(Net.Target.Ip, "127.") or istartswith(Net.Target.Ip, "192.") or istartswith(Net.Target.Ip, "172.") or istartswith(Net.Target.Ip, "10.") or istartswith(Net.Target.Ip, "fe80") or istartswith(Net.Target.Ip, "fc00") or istartswith(Net.Target.Ip, "fd00")

[AddActivityMonitoringExpression name=ProcessIsKnownRDPSoftware]
Query = Process.Name in ["mstsc.exe", "RTSApp.exe", "RTSApp2.exe", "RDCMan.exe", "ws_tunnelservice.exe", "RSSensor.exe", "RemoteDesktopManagerFree.exe", "RemoteDesktopManager.exe", "RemoteDesktopManager64.exe", "mRemoteNG.exe", "mRemote.exe", "Terminals.exe", "spiceworks-finder.exe", "FSDiscovery.exe", "FSAssessment.exe", "MobaRTE.exe", "chrome.exe", "thor.exe", "thor64.exe", "RoyalTS.exe"]

[AddActivityMonitoringExpression name=ProcessPathIsSystem32]
Query = regex_match_path(Process.Path, r"^%SystemRoot%\\System32\\.*$")

[AddActivityMonitoringExpression name=ProcessPathIsSysWOW64]
Query = regex_match_path(Process.Path, r"^%SystemRoot%\\SysWOW64\\.*$")

[AddActivityMonitoringExpression name=ProcessPathIsSystemDirectory]
Query = ProcessPathIsSystem32 or ProcessPathIsSysWOW64

[ActivityMonitoringRule]
RuleName = Detect process starts from directories with a low mandatory integrity label
EventType = Process.Start
# MIC label format in the SDDL string: (ML;OICIID;;;;LW)
Tag = proc-start-dir-low-integrity
Query = regex_match(Process.DirectorySdSddl, r"\(ML;.*?;.*?;.*?;.*?;LW;?.*?\)")

[ActivityMonitoringRule]
RuleName = Detect processes started from directories that are user-writeable
EventType = Process.Start
Tag = proc-start-dir-user-writeable
Query = Process.DirectoryUserWriteable == true

[ActivityMonitoringRule]
RuleName = Detect script child processes of Microsoft Office applications
EventType = Process.Start
Tag = proc-start-msoffice-child
RiskScore = 100
Query = ParentIsMsOffice and (Process.Name in ["cmd.exe", "cscript.exe", "wscript.exe", "ftp.exe"] or ProcessIsPowerShell)

[ActivityMonitoringRule]
RuleName = Detect child processes of Microsoft Office applications
EventType = Process.Start
Tag = proc-start-msoffice-child
Query = ParentIsMsOffice and not ProcessIsBrowser and Process.Name != "onenotem.exe" and Process.Name != "winword.exe"

[ActivityMonitoringRule]
RuleName = Detect child processes of the WMI service
EventType = Process.Start
Tag = proc-start-wmiservice-child
Query = Parent.Name == "wmiprvse.exe"

[ActivityMonitoringRule]
RuleName = Detect child processes of Adobe Acrobat Reader
# Source: https://www.microsoft.com/security/blog/2019/02/22/recommendations-for-deploying-the-latest-attack-surface-reduction-rules-for-maximum-impact/
EventType = Process.Start
Tag = proc-start-adobereader-child
Query = Parent.Name == "acrord32.exe" and Process.Name not in ["RdrCEF.exe", "acrord32.exe", "AdobeARM.exe"]

[ActivityMonitoringRule]
RuleName = Detect child processes (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-child
Query = Parent.Name in ["bash.exe", "bitsadmin.exe", "diskshadow.exe", "forfiles.exe", "ftp.exe", "hh.exe", "ieexec.exe", "Microsoft.Workflow.Compiler.exe", "msconfig.exe", "pcalua.exe", "pcwrun.exe", "rundll32.exe", "scriptrunner.exe", "wmic.exe", "Appvlp.exe", "cdb.exe", "devtoolslauncher.exe", "dnx.exe", "dxcap.exe", "mftrace.exe", "msdeploy.exe", "Sqlps.exe", "SQLToolsPS.exe", "te.exe", "update.exe", "vsjitdebugger.exe", "wsl.exe", "squirrel.exe"]

[ActivityMonitoringRule]
RuleName = Detect DLL load (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-dll-load
Query = Process.Name == "dnscmd.exe" and regex_match(Process.CommandLine, r"[\/|-]serverlevelplugindll.*\\\\.*\.dll")

[ActivityMonitoringRule]
RuleName = Detect DLL load (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-dll-load
Query = Process.Name == "MavInject.exe" and regex_match(Process.CommandLine, r"[\/|-]INJECTRUNNING")

[ActivityMonitoringRule]
RuleName = Detect starts from non-default locations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-other-location
Query = not ProcessPathIsSystemDirectory and Process.Name in ["ie4uinit.exe", "cscript.exe", "wsscript.exe", "cmd.exe"]

[ActivityMonitoringRule]
RuleName = Detect compile and execute (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-compile-and-exec
Query = lower(Process.Name) == "msbuild.exe" and (icontains(Process.CommandLine, ".csproj") or icontains(Process.CommandLine, ".xml"))

[ActivityMonitoringRule]
RuleName = Detect sct execute (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-sct-exec
Query = Process.Name == "regsvr32.exe" and regex_match(Process.CommandLine, r"\.sct.*scrobj\.dll")

[ActivityMonitoringRule]
RuleName = Detect proxy execution (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-proxy-exec
Query = Process.Name == "reg.exe" and regex_match(Process.CommandLine, r"import.*\.reg.*&.*winrm.*quickconfig")

[ActivityMonitoringRule]
RuleName = Detect event viewer UAC bypass (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-uac-bypass
Query = Parent.Name == "eventvwr.exe" and Process.Name != "mmc.exe"

[ActivityMonitoringRule]
RuleName = Detect wsreset UAC bypass (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-uac-bypass
Query = Parent.Name == "wsreset.exe" and Process.Name != "conhost.exe"

[ActivityMonitoringRule]
RuleName = Detect jsc compile (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-compile
Query = Process.Name == "jsc.exe" and Process.CommandLine like "%.js"

[ActivityMonitoringRule]
RuleName = Detect csc compile (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-compile
Query = Process.Name == "csc.exe" and (regex_match(Process.CommandLine, r"[\/|-]out:.*.exe.*.cs") or regex_match(Process.CommandLine, r"[\/|-]target:library.*.cs"))

[ActivityMonitoringRule]
RuleName = Detect execution from alternate data streams (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-alternate-data-streams
Query = Process.Name in ["Certutil.exe", "Cmd.exe", "Control.exe", "Cscript.exe", "Esentutl.exe", "Expand.exe", "Extract32.exe", "Findstr.exe", "Makecab.exe", "Mavinject.exe", "Mshta.exe", "Print.exe", "Reg.exe", "Regedit.exe", "Sc.exe", "Wmic.exe", "Wscript.exe"] and regex_match(Process.CommandLine, r"\w:\w")

[ActivityMonitoringRule]
RuleName = Detect AWL bypass (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-awl-bypass
Query = Process.Name == "rundll32.exe" and (regex_match(Process.CommandLine, r"dfshim.dll.*,.*ShOpenVerbApplication") or regex_match(Process.CommandLine, r"advpack.dll.*,.*LaunchINFSection") or regex_match(Process.CommandLine, r"ieadvpack.dll.*,.*LaunchINFSection") or regex_match(Process.CommandLine, r"setupapi.dll.*,.*InstallHinfSection") or regex_match(Process.CommandLine, r"syssetup.dll.*,.*SetupInfObjectInstallAction"))

[ActivityMonitoringRule]
RuleName = Detect encode and decode operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-encode-decode
Query = Process.Name == "certutil.exe" and (regex_match(Process.CommandLine, r"[\/|-]encode") or regex_match(Process.CommandLine, r"[\/|-]decode"))

[ActivityMonitoringRule]
RuleName = Detect esentutl.exe copy operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-copy
Query = Process.Name == "esentutl.exe" and (regex_match(Process.CommandLine, r"(?=.*[\/|-]y)(?=.*[\/|-]d)(?=.*[\/|-]o)") or regex_match(Process.CommandLine, r"(?=.*[\/|-]y)(?=.*[\/|-]d)(?=.*[\/|-]vss)"))

[ActivityMonitoringRule]
RuleName = Detect expand.exe copy operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-copy
Query = Process.Name == "expand.exe" and regex_match(Process.CommandLine, r"\S+\s+\S+")

[ActivityMonitoringRule]
RuleName = Detect print.exe copy operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-copy
Query = Process.Name == "print.exe" and regex_match(Process.CommandLine, r"[\/|-]D:\S+\s+\S+")

[ActivityMonitoringRule]
RuleName = Detect replace.exe copy operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-copy
Query = Process.Name == "replace.exe" and regex_match(Process.CommandLine, r"[\/|-]A")

[ActivityMonitoringRule]
RuleName = Detect certutil.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "certutil.exe" and (regex_match(Process.CommandLine, r"(?=.*[\/|-]urlcache)(?=.*[\/|-]split)(?=.*[\/|-]f)") or regex_match(Process.CommandLine, r"(?=.*[\/|-]verifyctl)(?=.*[\/|-]split)(?=.*[\/|-]f)"))

[ActivityMonitoringRule]
RuleName = Detect extrac32.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "extrac32.exe" and regex_match(Process.CommandLine, r"(?=.*[\/|-]y)(?=.*[\/|-]c)")

[ActivityMonitoringRule]
RuleName = Detect findstr.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "findstr.exe" and regex_match(Process.CommandLine, r"(?=.*[\/|-]v)(?=.*[\/|-]l)(?=.*>)")

[ActivityMonitoringRule]
RuleName = Detect makecab.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "makecab.exe" and regex_match(Process.CommandLine, r"\S+\s+\S+")

[ActivityMonitoringRule]
RuleName = Detect squirrel.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "squirrel.exe" and regex_match(Process.CommandLine, r"--download")

[ActivityMonitoringRule]
RuleName = Detect update.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = Process.Name == "update.exe" and regex_match(Process.CommandLine, r"--download")

[ActivityMonitoringRule]
RuleName = Detect Microsoft Office download operations (LOLBAS)
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = ParentIsMsOffice and regex_match(Process.CommandLine, r"(http|https)")


############################################
#
# Net.Send, Net.Receive, Net.Connect, Net.Reconnect, Net.Retransmit rules
#
############################################

[ActivityMonitoringRule]
RuleName = Suspicious target names
# Source: https://github.com/Neo23x0/sigma
EventType = Net.Connect
Tag = net-connect-suspicious-target-names
RiskScore = 75
Query = regex_match_path(Process.Path, r"^%SystemRoot%") and (regex_match(Net.Target.Name, r"dl\.dropboxusercontent\.com") or regex_match(Net.Target.Name, r"\.pastebin\.com") or regex_match(Net.Target.Name, r"\.githubusercontent\.com") or regex_match(Net.Target.Name, r"\.github\.com"))
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleName = PowerShell outbound network connections
EventType = Net.Connect
Tag = net-connect-outbound-powershell-network
Query = ProcessIsPowerShell and not TargetIsPrivateNetworkIP and regex_match(Process.User, r"^NT AUTHORITY\\SYSTEM$")
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleName = Suspicious outbound Kerberos connections
# Source: https://github.com/Neo23x0/sigma
EventType = Net.Connect
Tag = net-connect-outbound-kerberos
RiskScore = 75
Query = not ProcessIsBrowser and not TargetIsPrivateNetworkIP and Net.Target.Port == 88
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleName = PowerShell remoting
EventType = Net.Connect
Tag = net-connect-powershell-remoting
Query = ProcessIsPowerShell and Net.Target.Port in [5985, 5986] and not regex_match(Process.User, r"^NT AUTHORITY\\NETWORK SERVICE$")
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleName = Detect network connects from suspicious sources
EventType = Net.Connect
Tag = net-connect-suspicious-sources
Query = regex_match(Process.Path, r"^C:\\Users") or regex_match_path(Process.Path, r"^%ALLUSERSPROFILE%") or regex_match_path(Process.Path, r"^%ProgramData%") or regex_match_path(Process.Path, r"^%SystemRoot%\\Temp") or regex_match(Process.Path, r"$Recycle.bin$") or regex_match_path(Process.Path, r"^%Systemdrive%:\\Perflogs") or regex_match(Process.Path, r"config\\systemprofile") or regex_match_path(Process.Path, r"^%SystemRoot%\\Fonts") or regex_match_path(Process.Path, r"^%SystemRoot%\\IME") or regex_match_path(Process.Path, r"^%SystemRoot%\\addins")
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleName = Detect network connects from Windows processes
EventType = Net.Connect
Query = ProcessIsPowerShell or Process.Name in ["at.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "driverquery.exe", "dsquery.exe", "hh.exe", "infDefaultInstall.exe", "mmc.exe", "msbuild.exe", "mshta.exe", "msiexec.exe", "nbtstat.exe", "net.exe", "net1.exe", "notepad.exe", "nslookup.exe", "qprocess.exe", "qwinsta.exe", "qwinsta.exe", "reg.exe", "regsvcs.exe", "regsvr32.exe", "rundll32.exe", "rwinsta.exe", "sc.exe", "schtasks.exe", "taskkill.exe", "tasklist.exe", "wmic.exe", "wscript.exe"]
Tag = net-connect-Windows-processes
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleName = Detect network connects from third-party tools
EventType = Net.Connect
Tag = net-connect-third-party-processes
Query = Process.Name in ["java.exe", "javaw.exe", "javaws.exe", "nc.exe", "ncat.exe", "psexec.exe", "psexesvc.exe", "tor.exe", "vnc.exe", "vncservice.exe", "vncviewer.exe", "winexesvc.exe", "nmap.exe", "psinfo.exe"]
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleName = RDP connects from non-RDP software indicating lateral movement
# Source: https://github.com/Neo23x0/sigma
EventType = Net.Connect
Tag = net-connect-suspicious-RDP-connects
Query = not ProcessIsKnownRDPSoftware and Net.Target.Port == 3389
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleName = Detect network connects to suspicious ports
EventType = Net.Connect
Tag = net-connect-suspicious-ports
Query = Net.Target.Port in [ /* SSH */ 22, /* Telnet */ 23, /* SMTP */ 25, /* IMAP */ 142, /* VNC */ 5800, 5900, /* Socks proxy */ 1080, 3128, 8080, /* Tor */ 1723, 4500, 9001, 9030]
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleName = Detect network connects to 80 and 443 from non-browser applications
EventType = Net.Connect
Tag = net-connect-80-443-non-browser
RiskScore = 25
Query = not ProcessIsBrowser and not TargetIsPrivateNetworkIP and Net.Target.Port in [80, 443]
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

############################################
#
# Registry rules
#
############################################


[ActivityMonitoringRule]
RuleName = Detect AuthRoot, CA and Root certificate changes
# Source = https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
EventType = Reg.Value.Write
Hive = HKLM,HKU
Query = regex_match_path(Reg.Key.Path, r"Software(\\Policies)*\\Microsoft\\(EnterpriseCertificates|SystemCertificates)\\(AuthRoot|CA|Root)\\Certificates\\.+") AND Reg.Value.Name == "Blob"
Tag = reg-value-write-cert-change
RiskScore = 100
GenericProperty1 = Reg.Key.Path

[ActivityMonitoringRule]
RuleName = Detect service creation via registry
EventType = Reg.Key.Create
Hive = HKLM
Query = Reg.Parent.Key.Path like r"SYSTEM\\%ControlSet%\\Services" and Process.Name != "services.exe"
Tag = reg-key-create-service
GenericProperty1 = Reg.Key.Path

[ActivityMonitoringRule]
RuleName = Detect registry changes to Office macro settings
EventType = Reg.Value.Write
Hive = HKLM,HKU
Query = Reg.Key.Path like r"%\\Security\\Trusted Documents\\TrustRecords" or Reg.Key.Path like r"%\\Security\\AccessVBOM" or Reg.Key.Path like r"%\\Security\\VBAWarnings" or Reg.Key.Path like r"%\\Security\\Trusted Locations\\%"
Tag = reg-value-write-office-macro-settings
RiskScore = 100
GenericProperty1 = Reg.Key.Path

[ActivityMonitoringRule]
RuleName = Detect registry deletes to Office macro settings
EventType = Reg.Value.Delete
Hive = HKLM,HKU
Query = Reg.Key.Path like r"%\\Security\\Trusted Documents\\TrustRecords" or Reg.Key.Path like r"%\\Security\\AccessVBOM" or Reg.Key.Path like r"%\\Security\\VBAWarnings" or Reg.Key.Path like r"%\\Security\\Trusted Locations\\%"
Tag = reg-value-delete-office-macro-settings
RiskScore = 100
GenericProperty1 = Reg.Key.Path

[ActivityMonitoringRule]
RuleName = Detect registry changes to autostart extensibility point (ASEP)
EventType = Reg.Value.Write
Hive = HKLM,HKU
Query = Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Run" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders"
Tag = reg-value-write-autostart
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Value.Name

[ActivityMonitoringRule]
RuleName = Detect registry deletes to autostart extensibility point (ASEP)
EventType = Reg.Value.Delete
Hive = HKLM,HKU
Query = Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Run" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" or Reg.Key.Path like r"%\\software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" or Reg.Key.Path like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders"
Tag = reg-value-delete-autostart
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Value.Name

[ActivityMonitoringRule]
RuleName = Detect potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections
EventType = Reg.Value.Write
Hive = HKLM
Query = (Reg.Key.Path like r"%\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\%" and Reg.Value.Name == "UserAuthentication") or ((Reg.Key.Path like r"%\\CurrentControlSet\\Control\\Terminal Server" and Reg.Value.Name == "fDenyTSConnections"))
Tag = reg-value-write-enable-remote-connections
RiskScore = 100
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Value.Name

[ActivityMonitoringRule]
RuleName = Detect creation or execution of UserInitMprLogonScript persistence method
EventType = Reg.Value.Write
Hive = HKU
Query = Reg.Key.Path like r"%\\Environment" and Reg.Value.Name == "UserInitMprLogonScript"
Tag = reg-value-write-userinitmprlogonscript-persistence
RiskScore = 25
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Value.Name

[ActivityMonitoringRule]
RuleName = Detect disabling security eventlog on create
EventType = Reg.Key.Create
Hive = HKLM
Query = Reg.Key.Path like r"%SYSTEM\\%ControlSet%\\Control\\MiniNt"
Tag = reg-key-create-disable-security-eventlog
RiskScore = 100
GenericProperty1 = Reg.Key.Path

[ActivityMonitoringRule]
RuleName = Detect disabling security eventlog on rename
EventType = Reg.Key.Rename
Hive = HKLM
Query = Reg.Key.Path.New like r"%SYSTEM\\%ControlSet%\\Control\\MiniNt"
Tag = reg-key-rename-disable-security-eventlog
RiskScore = 100
GenericProperty1 = Reg.Key.Path

Leave a Reply

Your email address will not be published. Required fields are marked *