From 9da73becdba96e0b4378b674db4cd06cf2c649fd Mon Sep 17 00:00:00 2001
From: Still / Azaka <dev@stillu.cc>
Date: Thu, 26 Sep 2024 12:25:02 +0000
Subject: [PATCH] Add rule for detecting hiding shutdown actions (#935)

* Add initial rule for hiding shutdown actions

Signed-off-by: Still Hsu <dev@stillu.cc>

---------

Signed-off-by: Still Hsu <dev@stillu.cc>
Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
---
 .../os/hide-shutdown-actions-via-policy.yml   | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 host-interaction/os/hide-shutdown-actions-via-policy.yml

diff --git a/host-interaction/os/hide-shutdown-actions-via-policy.yml b/host-interaction/os/hide-shutdown-actions-via-policy.yml
new file mode 100644
index 00000000..70547555
--- /dev/null
+++ b/host-interaction/os/hide-shutdown-actions-via-policy.yml
@@ -0,0 +1,31 @@
+rule:
+  meta:
+    name: hide shutdown actions via policy
+    namespace: host-interaction/os
+    authors:
+      - still@teamt5.org
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Defense Evasion::Modify Registry [T1112]
+    references:
+      - https://securelist.com/mallox-ransomware/113529/
+    examples:
+      - a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0:0x14000b47f
+  features:
+    - and:
+      - optional:
+        - match: create or open registry key
+      - or:
+        - and:
+          - string: "/Policies/i"
+          - or:
+            - string: "/ShutdownWithoutLogon/i"
+            - string: "/HidePowerOptions/i"
+        - and:
+          - string: "/PolicyManager/i"
+          - or:
+            - string: "/HideRestart/i"
+            - string: "/HideShutDown/i"
+            - string: "/HideSignOut/i"