Skip to main content

uberAgent-ESA-am-vastlimits.conf

The following is the uberAgent-ESA-am-vastlimits.conf configuration file that ships with uberAgent. It contains activity monitoring rules curated by vast limits for use with uberAgent ESA.

#
# This is the configuration file for uberAgent that contains the ESA process tagging definitions.
# It is only required if uberAgent ESA is enabled.
# Place it in the same directory as uberAgent.exe.
#

############################################
#
# Process.Start rules
#
############################################

[AddActivityMonitoringExpression name=ParentIsMsOffice]
Query = istartswith(Parent.Company, "Microsoft") and Parent.Name in ["excel.exe", "msaccess.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "winword.exe"]

[AddActivityMonitoringExpression name=ProcessIsMsOffice]
Query = istartswith(Process.Company, "Microsoft") and Process.Name in ["excel.exe", "msaccess.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "winword.exe"]

[AddActivityMonitoringExpression name=ProcessIsBrowser]
Query = Process.Name in ["chrome.exe", "iexplore.exe", "firefox.exe", "msedge.exe", "opera.exe"]

[AddActivityMonitoringExpression name=ProcessIsPowerShell]
Query = Process.Name in ["powershell.exe", "pwsh.exe"]

[AddActivityMonitoringExpression name=DLLIsMAPI]
Query = Image.Name in ["mapi32.dll", "msmapi32.dll"] or (istartswith(Image.Name, "Microsoft.Office.Interop.Outlook") and iendswith(Image.Name, ".dll"))

[AddActivityMonitoringExpression name=TargetIsPrivateNetworkIP]
Query = istartswith(Net.Target.Ip, "127.") or istartswith(Net.Target.Ip, "192.") or istartswith(Net.Target.Ip, "172.") or istartswith(Net.Target.Ip, "10.") or istartswith(Net.Target.Ip, "fe80") or istartswith(Net.Target.Ip, "fc00") or istartswith(Net.Target.Ip, "fd00")

[AddActivityMonitoringExpression name=ProcessIsKnownRDPSoftware]
Query = Process.Name in ["mstsc.exe", "RTSApp.exe", "RTSApp2.exe", "RDCMan.exe", "ws_tunnelservice.exe", "RSSensor.exe", "RemoteDesktopManagerFree.exe", "RemoteDesktopManager.exe", "RemoteDesktopManager64.exe", "mRemoteNG.exe", "mRemote.exe", "Terminals.exe", "spiceworks-finder.exe", "FSDiscovery.exe", "FSAssessment.exe", "MobaRTE.exe", "chrome.exe", "thor.exe", "thor64.exe", "RoyalTS.exe"]

[AddActivityMonitoringExpression name=ProcessPathIsSystem32]
Query = regex_match_path(Process.Path, r"^%SystemRoot%\\System32\\.*$")

[AddActivityMonitoringExpression name=ProcessPathIsSysWOW64]
Query = regex_match_path(Process.Path, r"^%SystemRoot%\\SysWOW64\\.*$")

[AddActivityMonitoringExpression name=ProcessPathIsSystemDirectory]
Query = ProcessPathIsSystem32 or ProcessPathIsSysWOW64

[ActivityMonitoringRule]
RuleId = 84fae5e2-fae0-427e-b9e4-1c6a371b9913
RuleName = Detect process starts from directories with a low mandatory integrity label
EventType = Process.Start
# MIC label format in the SDDL string: (ML;OICIID;;;;LW)
Tag = proc-start-dir-low-integrity
Annotation = {"mitre_attack": ["T1548"]}
Query = regex_match(Process.DirectorySdSddl, r"\(ML;.*?;.*?;.*?;.*?;LW;?.*?\)")

[ActivityMonitoringRule]
RuleId = 7a16b05d-7d9d-4b83-8dab-3b294ef39d90
RuleName = Detect processes started from directories that are user-writeable
EventType = Process.Start
Tag = proc-start-dir-user-writeable
Annotation = {"mitre_attack": ["T1548"]}
Query = Process.DirectoryUserWriteable == true

[ActivityMonitoringRule]
RuleId = 67c7f3a2-daa6-4606-9954-9d1ca1531747
RuleName = Detect script child processes of Microsoft Office applications
EventType = Process.Start
Tag = proc-start-msoffice-child
RiskScore = 100
Annotation = {"mitre_attack": ["T1204.002"]}
Query = ParentIsMsOffice and (Process.Name in ["cmd.exe", "cscript.exe", "wscript.exe", "ftp.exe"] or ProcessIsPowerShell)

[ActivityMonitoringRule]
RuleId = 32951151-cb3c-435f-bb2d-5043802fc055
RuleName = Detect child processes of Microsoft Office applications
EventType = Process.Start
Tag = proc-start-msoffice-child
Annotation = {"mitre_attack": ["T1204.002"]}
Query = ParentIsMsOffice and not ProcessIsBrowser and Process.Name != "onenotem.exe" and Process.Name != "winword.exe"

[ActivityMonitoringRule]
RuleId = 0a1bbfbc-e0d9-4c49-953e-e31c3aa3fc91
RuleName = Detect child processes of the WMI service
EventType = Process.Start
Tag = proc-start-wmiservice-child
Annotation = {"mitre_attack": ["T1047"]}
Query = Parent.Name == "wmiprvse.exe"

[ActivityMonitoringRule]
RuleId = 8a16160d-4eac-4ae4-8fe4-7af7320ebf1e
RuleName = Detect child processes of Adobe Acrobat Reader
# Source: https://www.microsoft.com/security/blog/2019/02/22/recommendations-for-deploying-the-latest-attack-surface-reduction-rules-for-maximum-impact/
EventType = Process.Start
Tag = proc-start-adobereader-child
Annotation = {"mitre_attack": ["T1204.002"]}
Query = Parent.Name == "acrord32.exe" and Process.Name not in ["RdrCEF.exe", "acrord32.exe", "AdobeARM.exe"]

[ActivityMonitoringRule]
RuleId = 0e85dc3b-6230-4e8c-b09a-183c23bf31a7
RuleName = Detect child processes (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-child
Annotation = {"mitre_attack": ["T1218"]}
Query = Parent.Name in ["bash.exe", "bitsadmin.exe", "diskshadow.exe", "forfiles.exe", "ftp.exe", "hh.exe", "ieexec.exe", "Microsoft.Workflow.Compiler.exe", "msconfig.exe", "pcalua.exe", "pcwrun.exe", "rundll32.exe", "scriptrunner.exe", "wmic.exe", "Appvlp.exe", "cdb.exe", "devtoolslauncher.exe", "dnx.exe", "dxcap.exe", "mftrace.exe", "msdeploy.exe", "Sqlps.exe", "SQLToolsPS.exe", "te.exe", "update.exe", "vsjitdebugger.exe", "wsl.exe", "squirrel.exe"]

[ActivityMonitoringRule]
RuleId = 3b95cda6-6057-42cc-bf6b-9b49d0848ca4
RuleName = Detect starts from non-default locations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-other-location
Annotation = {"mitre_attack": ["T1218"]}
Query = not ProcessPathIsSystemDirectory and Process.Name in ["ie4uinit.exe", "cscript.exe", "wsscript.exe", "cmd.exe"]

[ActivityMonitoringRule]
RuleId = 25b35200-5154-4154-a2dd-0e4c932b8366
RuleName = Detect compile and execute (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-compile-and-exec
Annotation = {"mitre_attack": ["T1127.001"]}
Query = lower(Process.Name) == "msbuild.exe" and (icontains(Process.CommandLine, ".csproj") or icontains(Process.CommandLine, ".xml"))

[ActivityMonitoringRule]
RuleId = 9220e5d6-5c97-44ac-9dca-2063300d62d1
RuleName = Detect proxy execution (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-proxy-exec
Annotation = {"mitre_attack": ["T1218"]}
Query = Process.Name == "reg.exe" and regex_match(Process.CommandLine, r"import.*\.reg.*&.*winrm.*quickconfig")

[ActivityMonitoringRule]
RuleId = 6b0add9d-8df0-4df3-899c-d36e020329fb
RuleName = Detect jsc compile (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-compile
Annotation = {"mitre_attack": ["T1127"]}
Query = Process.Name == "jsc.exe" and Process.CommandLine like "%.js"

[ActivityMonitoringRule]
RuleId = c9e5bbda-d545-45f9-b0cd-505d25899c1e
RuleName = Detect csc compile (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-compile
Annotation = {"mitre_attack": ["T1127"]}
Query = Process.Name == "csc.exe" and (regex_match(Process.CommandLine, r"[\/|-]out:.*.exe.*.cs") or regex_match(Process.CommandLine, r"[\/|-]target:library.*.cs"))

[ActivityMonitoringRule]
RuleId = 5417022a-b435-49e5-8b4a-14c57f25af94
RuleName = Detect execution from alternate data streams (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-alternate-data-streams
Annotation = {"mitre_attack": ["T1564.004"]}
Query = Process.Name in ["Certutil.exe", "Cmd.exe", "Control.exe", "Cscript.exe", "Esentutl.exe", "Expand.exe", "Extract32.exe", "Findstr.exe", "Makecab.exe", "Mavinject.exe", "Mshta.exe", "Print.exe", "Reg.exe", "Regedit.exe", "Sc.exe", "Wmic.exe", "Wscript.exe"] and regex_match(Process.CommandLine, r"\w:\w")

[ActivityMonitoringRule]
RuleId = b95c2154-3299-4653-9b6e-d421a158e6ba
RuleName = Detect encode and decode operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-encode-decode
Annotation = {"mitre_attack": ["T1027"]}
Query = Process.Name == "certutil.exe" and (regex_match(Process.CommandLine, r"[\/|-]encode") or regex_match(Process.CommandLine, r"[\/|-]decode"))

[ActivityMonitoringRule]
RuleId = dee9e5ed-7d35-4658-a474-26c6ab4b40de
RuleName = Detect findstr.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Annotation = {"mitre_attack": ["T1185"]}
Query = Process.Name == "findstr.exe" and regex_match(Process.CommandLine, r"(?=.*[\/|-]v)(?=.*[\/|-]l)(?=.*>)")

[ActivityMonitoringRule]
RuleId = 5563d38c-c379-4e84-bfe0-51f136a84fdb
RuleName = Detect makecab.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Annotation = {"mitre_attack": ["T1105"]}
Query = Process.Name == "makecab.exe" and regex_match(Process.CommandLine, r"\S+\s+\S+")

[ActivityMonitoringRule]
RuleId = ac0afdf9-9e9e-4439-ba01-841acbacf8ab
RuleName = Detect squirrel.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Annotation = {"mitre_attack": ["T1218"]}
Query = Process.Name == "squirrel.exe" and regex_match(Process.CommandLine, r"--download")

[ActivityMonitoringRule]
RuleId = bc4001fa-a83d-4192-9225-89bb54d6a4b1
RuleName = Detect update.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Tag = proc-start-lolbas-download
Annotation = {"mitre_attack": ["T1218"]}
Query = Process.Name == "update.exe" and regex_match(Process.CommandLine, r"--download")

[ActivityMonitoringRule]
RuleId = 35b69884-90d6-4000-a017-b3e3be5c1026
RuleName = Detect Microsoft Office download operations (LOLBAS)
EventType = Process.Start
Tag = proc-start-lolbas-download
Annotation = {"mitre_attack": ["T1105"]}
Query = ParentIsMsOffice and regex_match(Process.CommandLine, r"(http|https)")


############################################
#
# Net.Send, Net.Receive, Net.Connect, Net.Reconnect, Net.Retransmit rules
#
############################################

[ActivityMonitoringRule]
RuleId = 5f5774b2-36f4-4990-be0b-ea5c6717e403
RuleName = Suspicious target names
# Source: https://github.com/Neo23x0/sigma
EventType = Net.Connect
Tag = net-connect-suspicious-target-names
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = regex_match_path(Process.Path, r"^%SystemRoot%") and (regex_match(Net.Target.Name, r"dl\.dropboxusercontent\.com") or regex_match(Net.Target.Name, r"\.pastebin\.com") or regex_match(Net.Target.Name, r"\.githubusercontent\.com") or regex_match(Net.Target.Name, r"\.github\.com"))
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleId = ad0f46d0-9a7a-4233-a93b-e3bbb5ee7dbd
RuleName = PowerShell outbound network connections
EventType = Net.Connect
Tag = net-connect-outbound-powershell-network
Annotation = {"mitre_attack": ["T1105"]}
Query = ProcessIsPowerShell and not TargetIsPrivateNetworkIP and regex_match(Process.User, r"^NT AUTHORITY\\SYSTEM$")
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleId = c9de8260-a99b-401e-b28b-b4530df68ebc
RuleName = Suspicious outbound Kerberos connections
# Source: https://github.com/Neo23x0/sigma
EventType = Net.Connect
Tag = net-connect-outbound-kerberos
RiskScore = 75
Annotation = {"mitre_attack": ["T1558.003"]}
Query = not ProcessIsBrowser and not TargetIsPrivateNetworkIP and Net.Target.Port == 88
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleId = 4940f757-3470-42a7-a709-8724b759696a
RuleName = PowerShell remoting
EventType = Net.Connect
Tag = net-connect-powershell-remoting
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ProcessIsPowerShell and Net.Target.Port in [5985, 5986] and not regex_match(Process.User, r"^NT AUTHORITY\\NETWORK SERVICE$")
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleId = 0c204f73-ce45-4708-934a-9d07fd2d7303
RuleName = Detect network connects from suspicious sources
EventType = Net.Connect
Tag = net-connect-suspicious-sources
Annotation = {"mitre_attack": ["T1105"]}
Query = regex_match(Process.Path, r"^C:\\Users") or regex_match_path(Process.Path, r"^%ALLUSERSPROFILE%") or regex_match_path(Process.Path, r"^%ProgramData%") or regex_match_path(Process.Path, r"^%SystemRoot%\\Temp") or regex_match(Process.Path, r"$Recycle.bin$") or regex_match_path(Process.Path, r"^%Systemdrive%:\\Perflogs") or regex_match(Process.Path, r"config\\systemprofile") or regex_match_path(Process.Path, r"^%SystemRoot%\\Fonts") or regex_match_path(Process.Path, r"^%SystemRoot%\\IME") or regex_match_path(Process.Path, r"^%SystemRoot%\\addins")
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleId = e1c5e054-fe7b-4cee-9ea0-24b8185130ce
RuleName = Detect network connects from Windows processes
EventType = Net.Connect
Annotation = {"mitre_attack": ["T1105"]}
Query = ProcessIsPowerShell or Process.Name in ["at.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "driverquery.exe", "dsquery.exe", "hh.exe", "infDefaultInstall.exe", "mmc.exe", "msbuild.exe", "mshta.exe", "msiexec.exe", "nbtstat.exe", "net.exe", "net1.exe", "notepad.exe", "nslookup.exe", "qprocess.exe", "qwinsta.exe", "qwinsta.exe", "reg.exe", "regsvcs.exe", "regsvr32.exe", "rundll32.exe", "rwinsta.exe", "sc.exe", "schtasks.exe", "taskkill.exe", "tasklist.exe", "wmic.exe", "wscript.exe"]
Tag = net-connect-Windows-processes
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleId = 29094c60-6459-47aa-8620-581a25cad376
RuleName = Detect network connects from third-party tools
EventType = Net.Connect
Tag = net-connect-third-party-processes
Annotation = {"mitre_attack": ["T1105"]}
Query = Process.Name in ["java.exe", "javaw.exe", "javaws.exe", "nc.exe", "ncat.exe", "psexec.exe", "psexesvc.exe", "tor.exe", "vnc.exe", "vncservice.exe", "vncviewer.exe", "winexesvc.exe", "nmap.exe", "psinfo.exe"]
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleId = 35103d32-ff9a-4a50-b20c-396f185e8a93
RuleName = RDP connects from non-RDP software indicating lateral movement
# Source: https://github.com/Neo23x0/sigma
EventType = Net.Connect
Tag = net-connect-suspicious-RDP-connects
Annotation = {"mitre_attack": ["T1021.001"]}
Query = not ProcessIsKnownRDPSoftware and Net.Target.Port == 3389
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleId = 91ded0fc-2869-45a8-a06d-04f0b3f21532
RuleName = Detect network connects to suspicious ports
EventType = Net.Connect
Tag = net-connect-suspicious-ports
Annotation = {"mitre_attack": ["T1105"]}
Query = Net.Target.Port in [ /* SSH */ 22, /* Telnet */ 23, /* SMTP */ 25, /* IMAP */ 142, /* VNC */ 5800, 5900, /* Socks proxy */ 1080, 3128, 8080, /* Tor */ 1723, 4500, 9001, 9030]
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

[ActivityMonitoringRule]
RuleId = f8257d1f-a86f-44d8-b583-2b8d9cbe867e
RuleName = Detect network connects to 80 and 443 from non-browser applications
EventType = Net.Connect
Tag = net-connect-80-443-non-browser
RiskScore = 25
Annotation = {"mitre_attack": ["T1105"]}
Query = not ProcessIsBrowser and not TargetIsPrivateNetworkIP and Net.Target.Port in [80, 443]
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol

############################################
#
# Registry rules
#
############################################


[ActivityMonitoringRule]
RuleId = 1414388f-fc7b-4916-ad7f-1399ffcff026
RuleName = Detect AuthRoot, CA and Root certificate changes
# Source = https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
EventType = Reg.Value.Write
Hive = HKLM,HKU
Annotation = {"mitre_attack": ["T1588.003"]}
Query = regex_match_path(Reg.Key.Path, r"Software(\\Policies)*\\Microsoft\\(EnterpriseCertificates|SystemCertificates)\\(AuthRoot|CA|Root)\\Certificates\\.+") AND Reg.Value.Name == "Blob"
Tag = reg-value-write-cert-change
RiskScore = 100
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Name
GenericProperty3 = Reg.Parent.Key.Path
GenericProperty4 = Reg.Value.Name
GenericProperty5 = Reg.File.Name
GenericProperty6 = Reg.Key.Sddl
GenericProperty7 = Reg.Key.Hive
GenericProperty8 = Reg.Key.Target

[ActivityMonitoringRule]
RuleId = a20c2e1f-2984-4622-bd47-bf925c1aaa07
RuleName = Detect service creation via registry
EventType = Reg.Key.Create
Hive = HKLM
Annotation = {"mitre_attack": ["T1543.003"]}
Query = Reg.Parent.Key.Path like r"SYSTEM\\%ControlSet%\\Services" and Process.Name != "services.exe"
Tag = reg-key-create-service
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Name
GenericProperty3 = Reg.Parent.Key.Path
GenericProperty4 = Reg.Value.Name
GenericProperty5 = Reg.File.Name
GenericProperty6 = Reg.Key.Sddl
GenericProperty7 = Reg.Key.Hive
GenericProperty8 = Reg.Key.Target

[ActivityMonitoringRule]
RuleId = cef6a5fc-2b0d-462b-9ab4-37556546390a
RuleName = Detect registry changes to Office macro settings (allow execution)
EventType = Reg.Value.Write
Hive = HKLM,HKU
Query = Reg.Key.Path like r"%\\Security\\Trusted Documents\\TrustRecords" and registry_read_binary(Reg.Key.Hive, Reg.Key.Path, Reg.Value.Name) like "%7F"
Tag = reg-value-write-office-macro-allow
RiskScore = 100
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Value.Name

[ActivityMonitoringRule]
RuleId = 18c13aea-501b-45ac-b1b1-10eb3a3b794a
RuleName = Detect registry changes to Office macro settings
EventType = Reg.Value.Write
Hive = HKLM,HKU
Annotation = {"mitre_attack": ["T1137"]}
Query = Reg.Key.Path like r"%\\Security\\Trusted Documents\\TrustRecords" or Reg.Key.Path like r"%\\Security\\AccessVBOM" or Reg.Key.Path like r"%\\Security\\VBAWarnings" or Reg.Key.Path like r"%\\Security\\Trusted Locations\\%"
Tag = reg-value-write-office-macro-settings
RiskScore = 100
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Name
GenericProperty3 = Reg.Parent.Key.Path
GenericProperty4 = Reg.Value.Name
GenericProperty5 = Reg.File.Name
GenericProperty6 = Reg.Key.Sddl
GenericProperty7 = Reg.Key.Hive
GenericProperty8 = Reg.Key.Target

[ActivityMonitoringRule]
RuleId = 7098a059-4191-4a9e-973c-8976d61cddc0
RuleName = Detect registry deletes to Office macro settings
EventType = Reg.Value.Delete
Hive = HKLM,HKU
Annotation = {"mitre_attack": ["T1137"]}
Query = Reg.Key.Path like r"%\\Security\\Trusted Documents\\TrustRecords" or Reg.Key.Path like r"%\\Security\\AccessVBOM" or Reg.Key.Path like r"%\\Security\\VBAWarnings" or Reg.Key.Path like r"%\\Security\\Trusted Locations\\%"
Tag = reg-value-delete-office-macro-settings
RiskScore = 100
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Name
GenericProperty3 = Reg.Parent.Key.Path
GenericProperty4 = Reg.Value.Name
GenericProperty5 = Reg.File.Name
GenericProperty6 = Reg.Key.Sddl
GenericProperty7 = Reg.Key.Hive
GenericProperty8 = Reg.Key.Target

[ActivityMonitoringRule]
RuleId = d5b4d0b7-1bfe-4a6b-9664-7b321bfa4094
RuleName = Detect disabling security eventlog on create
EventType = Reg.Key.Create
Hive = HKLM
Query = Reg.Key.Path like r"%SYSTEM\\%ControlSet%\\Control\\MiniNt"
Tag = reg-key-create-disable-security-eventlog
RiskScore = 100
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Name
GenericProperty3 = Reg.Parent.Key.Path
GenericProperty4 = Reg.Value.Name
GenericProperty5 = Reg.File.Name
GenericProperty6 = Reg.Key.Sddl
GenericProperty7 = Reg.Key.Hive
GenericProperty8 = Reg.Key.Target

[ActivityMonitoringRule]
RuleId = 21791409-7892-4122-9441-066955ee01b5
RuleName = Detect disabling security eventlog on rename
EventType = Reg.Key.Rename
Hive = HKLM
Annotation = {"mitre_attack": ["T1562.002"]}
Query = Reg.Key.Path.New like r"%SYSTEM\\%ControlSet%\\Control\\MiniNt"
Tag = reg-key-rename-disable-security-eventlog
RiskScore = 100
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Name
GenericProperty3 = Reg.Parent.Key.Path
GenericProperty4 = Reg.Value.Name
GenericProperty5 = Reg.File.Name
GenericProperty6 = Reg.Key.Sddl
GenericProperty7 = Reg.Key.Hive
GenericProperty8 = Reg.Key.Target

Comments

Your email address will not be published. Required fields are marked *