-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2021-12-002.yaml
67 lines (67 loc) · 4.37 KB
/
CAR-2021-12-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
title: Modification of Default Startup Folder in the Registry Key 'Common Startup'
submission_date: 2021/12/06
information_domain: Host
platforms:
- Windows
subtypes:
- Process
- Registry
analytic_types:
- TTP
contributors:
- Lucas Heiligenstein
id: CAR-2021-12-002
description: Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.
coverage:
- technique: T1547
tactics:
- TA0003
- TA0004
subtechniques:
- T1547.001
coverage: Medium
- technique: T1112
tactics:
- TA0005
coverage: Medium
implementations:
- name: Common Startup Registry Key Modification
description: This detects modification of the `Common Startup` registry key value, either via a new process (command line) or direct registry manipulation.
code: |
processes = search Process:create
logon_reg_processes = filter processes where (command_line CONTAINS("*reg*") AND command_line CONTAINS("*add*") AND command_line CONTAINS("*/d*") OR (command_line CONTAINS("*Set-ItemProperty*") AND command_line CONTAINS("*-value*")) AND command_line CONTAINS("*Common Startup*"))
reg_keys = search Registry:value_edit
logon_reg_keys = filter reg_keys where value="Common Startup"
output logon_reg_processes, logon_reg_keys
data_model: CAR native
type: Pseudocode
- name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup"
description: This is a Splunk representation of the above pseudocode search.
code: |
(((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR ((EventCode="4657" ObjectValueName="Common Startup") OR (EventCode="13" TargetObject="*Common Startup")))
type: Splunk
- name: Elastic Search - Modification of default Startup Folder in the Registry Key "Common Startup"
description: This is an ElasticSeearech representation of the above pseudocode search.
code: |
((EventLog:"Security" AND (winlog.event_id:"4688" OR winlog.event_id:"1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup") OR (winlog.event_id:"13" AND winlog.event_data.TargetObject:"*Common Startup"))
type: Elastic
- name: LogPoint Search - Modification of default Startup Folder in the Registry Key "Common Startup"
description: This is a LogPoint representation of the above pseudocode search.
code: |
((EventLog="Security" (event_id="4688" OR event_id="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup") OR (event_id="13" TargetObject="*Common Startup"))
type: LogPoint
unit_tests:
- description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon
commands:
- reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup" /d "C:\Users\Lucas\Documents\new_malicious_startup_folder" /f
- description: Modification on Registry Key with Powershell. Files in new_malicious_startup_folder will be launched when user logon
commands:
- Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value C:\Users\Lucas\Documents\new_malicious_startup_folder
data_model_references:
- process/create/command_line
- registry/add/key
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis