From b0054b7cd0b0a765bd4fc550c80069a61e6edab0 Mon Sep 17 00:00:00 2001 From: Lucas <31893813+Ptylu@users.noreply.github.com> Date: Wed, 2 Feb 2022 05:38:05 +0800 Subject: [PATCH] CAR-2021-12-002-T1547.001 (#141) * Adding CAR-2021-12-002-T1547.001 Detection of modification of registry key "Common Startup" located in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\" and "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\". When user logon, files in the Startup Folder are launched. Attacker may modify these forlders with other to evade detection set on these default folders. Detection focus at the same time on the EventID 4688 with the process creation and EventID 4657 for the modification of Registry Key. * Update CAR-2021-12-002.yaml Sysmon EventID 1 added * Fixed coverage & unit_tests * Minor update to description * Removed source and event_log from splunk query * Added EID 13 sysmon detection to Splunk query * Added pseudocode + tweaked implementations Co-authored-by: luffy68 <31893813+luffy68@users.noreply.github.com> Co-authored-by: Ivan Kirillov --- analytics/CAR-2021-12-002.yaml | 62 ++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 analytics/CAR-2021-12-002.yaml diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml new file mode 100644 index 00000000..00c0547f --- /dev/null +++ b/analytics/CAR-2021-12-002.yaml @@ -0,0 +1,62 @@ +title: Modification of Default Startup Folder in the Registry Key "Common Startup" +submission_date: 2021/12/06 +information_domain: Host +platforms: + - Windows +subtypes: + - Process + - Registry +analytic_types: + - TTP +contributors: + - Lucas Heiligenstein +id: CAR-2021-12-002 +description: Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. +coverage: + - technique: T1547 + tactics: + - TA0003 + - TA0004 + subtechniques: + - T1547.001 + coverage: Medium + - technique: T1112 + tactics: + - TA0005 + coverage: Medium +implementations: + - name: Common Startup Registry Key Modification + description: This detects modification of the `Common Startup` registry key value, either via a new process (command line) or direct registry manipulation. + code: |- + processes = search Process:create + logon_reg_processes = filter processes where (command_line CONTAINS("*reg*") AND command_line CONTAINS("*add*") AND command_line CONTAINS("*/d*") OR (command_line CONTAINS("*Set-ItemProperty*") AND command_line CONTAINS("*-value*")) AND command_line CONTAINS("*Common Startup*")) + reg_keys = search Registry:value_edit + logon_reg_keys = filter reg_keys where value="Common Startup" + output logon_reg_processes, logon_reg_keys + data_model: CAR native + type: Pseudocode + - name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup" + description: This is a Splunk representation of the above pseudocode search. + code: |- + (((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR ((EventCode="4657" ObjectValueName="Common Startup") OR (EventCode="13" TargetObject="*Common Startup"))) + type: Splunk + - name: Elastic Search - Modification of default Startup Folder in the Registry Key "Common Startup" + description: This is an ElasticSeearech representation of the above pseudocode search. + code: |- + ((EventLog:"Security" AND (winlog.event_id:"4688" OR winlog.event_id:"1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup") OR (winlog.event_id:"13" AND winlog.event_data.TargetObject:"*Common Startup")) + type: Elastic + - name: LogPoint Search - Modification of default Startup Folder in the Registry Key "Common Startup" + description: This is a LogPoint representation of the above pseudocode search. + code: |- + ((EventLog="Security" (event_id="4688" OR event_id="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup") OR (event_id="13" TargetObject="*Common Startup")) + type: LogPoint +unit_tests: +- description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon + commands: + - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup" /d "C:\Users\Lucas\Documents\new_malicious_startup_folder" /f +- description: Modification on Registry Key with Powershell. Files in new_malicious_startup_folder will be launched when user logon + commands: + - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value C:\Users\Lucas\Documents\new_malicious_startup_folder +data_model_references: + - process/create/command_line + - registry/add/key