From 736f6620ab853de85faec4b36ae030014ce1ebca Mon Sep 17 00:00:00 2001 From: luffy68 <31893813+luffy68@users.noreply.github.com> Date: Tue, 7 Dec 2021 00:23:23 +0800 Subject: [PATCH 1/7] Adding CAR-2021-12-002-T1547.001 Detection of modification of registry key "Common Startup" located in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\" and "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\". When user logon, files in the Startup Folder are launched. Attacker may modify these forlders with other to evade detection set on these default folders. Detection focus at the same time on the EventID 4688 with the process creation and EventID 4657 for the modification of Registry Key. --- analytics/CAR-2021-12-002.yaml | 57 ++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 analytics/CAR-2021-12-002.yaml diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml new file mode 100644 index 00000000..9153d23b --- /dev/null +++ b/analytics/CAR-2021-12-002.yaml @@ -0,0 +1,57 @@ +title: Modification of default Startup Folder in the Registry Key "Common Startup" +submission_date: 2021/12/06 +information_domain: Host +platforms: + - Windows +subtypes: + - Process + - Registry +analytic_types: + - TTP +contributors: + - Lucas Heiligenstein +id: CAR-2021-12-002 +description: |- + Detection of modification of registry key "Common Startup" located in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\" and "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\". When user logon, files in the Startup Folder are launched. Attacker may modify these forlders with other to evade detection set on these default folders. Detection focus at the same time on the EventID 4688 with the process creation and EventID 4657 for the modification of Registry Key. +coverage: + - technique: T1547 + tactics: + - TA0003 + - TA0004 + subtechniques: + - T1547.001 + coverage: Medium + - technique: T1112 + tactics: + - TA0005 + subtechniques: + - T1112 + coverage: Medium +implementations: + - name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup" + description: This is a pseudocode representation of the below Splunk search. + code: |- + (source="WinEventLog:*" EventLog="Security" ( EventCode="4688" (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR (EventCode="4657" ObjectValueName="Common Startup")) + type: Splunk + - name: Elastic Search - Modification of default Startup Folder in the Registry Key "Common Startup" + description: This is a pseudocode representation of the below Elastic search. + code: |- + ((EventLog:"Security" AND winlog.event_id:"4688" AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup")) + type: Elastic + - name: LogPoint Search - Modification of default Startup Folder in the Registry Key "Common Startup" + description: This is a pseudocode representation of the below LogPoint search. + code: |- + ((EventLog="Security" event_id="4688" ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup")) + type: LogPoint +unit_tests: +- configurations: + description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon + commands: + - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup" /d "C:\Users\Lucas\Documents\new_malicious_startup_folder" /f +- configurations: + description: Modification on Registry Key with Powershell. Files in new_malicious_startup_folder will be launched when user logon + commands: + - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value C:\Users\Lucas\Documents\new_malicious_startup_folder +data_model_references: + - process/create/command_line + - registry/add/key From 2d9ca411fddcfeb74ba08d28ebedf9bdd34f0138 Mon Sep 17 00:00:00 2001 From: Lucas <31893813+Ptylu@users.noreply.github.com> Date: Wed, 19 Jan 2022 22:12:09 +0800 Subject: [PATCH 2/7] Update CAR-2021-12-002.yaml Sysmon EventID 1 added --- analytics/CAR-2021-12-002.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml index 9153d23b..337ba7d6 100644 --- a/analytics/CAR-2021-12-002.yaml +++ b/analytics/CAR-2021-12-002.yaml @@ -12,7 +12,7 @@ contributors: - Lucas Heiligenstein id: CAR-2021-12-002 description: |- - Detection of modification of registry key "Common Startup" located in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\" and "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\". When user logon, files in the Startup Folder are launched. Attacker may modify these forlders with other to evade detection set on these default folders. Detection focus at the same time on the EventID 4688 with the process creation and EventID 4657 for the modification of Registry Key. + Detection of modification of registry key "Common Startup" located in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\" and "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\". When user logon, files in the Startup Folder are launched. Attacker may modify these forlders with other to evade detection set on these default folders. Detection focus at the same time on the EventID 4688 and 1 with the process creation and EventID 4657 for the modification of Registry Key. coverage: - technique: T1547 tactics: @@ -31,17 +31,17 @@ implementations: - name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is a pseudocode representation of the below Splunk search. code: |- - (source="WinEventLog:*" EventLog="Security" ( EventCode="4688" (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR (EventCode="4657" ObjectValueName="Common Startup")) + (source="WinEventLog:*" EventLog="Security" ((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR (EventCode="4657" ObjectValueName="Common Startup")) type: Splunk - name: Elastic Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is a pseudocode representation of the below Elastic search. code: |- - ((EventLog:"Security" AND winlog.event_id:"4688" AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup")) + ((EventLog:"Security" AND (winlog.event_id:"4688" OR winlog.event_id:"1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup")) type: Elastic - name: LogPoint Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is a pseudocode representation of the below LogPoint search. code: |- - ((EventLog="Security" event_id="4688" ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup")) + ((EventLog="Security" (event_id="4688" OR event_id="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup")) type: LogPoint unit_tests: - configurations: From db821d18bbaf86747bddeb7d18197aa835f0ad9f Mon Sep 17 00:00:00 2001 From: Ivan Kirillov Date: Tue, 25 Jan 2022 07:32:03 -0700 Subject: [PATCH 3/7] Fixed coverage & unit_tests --- analytics/CAR-2021-12-002.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml index 337ba7d6..899049d6 100644 --- a/analytics/CAR-2021-12-002.yaml +++ b/analytics/CAR-2021-12-002.yaml @@ -24,8 +24,6 @@ coverage: - technique: T1112 tactics: - TA0005 - subtechniques: - - T1112 coverage: Medium implementations: - name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup" @@ -44,12 +42,10 @@ implementations: ((EventLog="Security" (event_id="4688" OR event_id="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup")) type: LogPoint unit_tests: -- configurations: - description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon +- description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon commands: - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup" /d "C:\Users\Lucas\Documents\new_malicious_startup_folder" /f -- configurations: - description: Modification on Registry Key with Powershell. Files in new_malicious_startup_folder will be launched when user logon +- description: Modification on Registry Key with Powershell. Files in new_malicious_startup_folder will be launched when user logon commands: - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value C:\Users\Lucas\Documents\new_malicious_startup_folder data_model_references: From eec02396008d2afc08c770528ef79822f6dcb634 Mon Sep 17 00:00:00 2001 From: Ivan Kirillov Date: Tue, 25 Jan 2022 07:45:29 -0700 Subject: [PATCH 4/7] Minor update to description --- analytics/CAR-2021-12-002.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml index 899049d6..9f706636 100644 --- a/analytics/CAR-2021-12-002.yaml +++ b/analytics/CAR-2021-12-002.yaml @@ -1,4 +1,4 @@ -title: Modification of default Startup Folder in the Registry Key "Common Startup" +title: Modification of Default Startup Folder in the Registry Key "Common Startup" submission_date: 2021/12/06 information_domain: Host platforms: @@ -11,8 +11,7 @@ analytic_types: contributors: - Lucas Heiligenstein id: CAR-2021-12-002 -description: |- - Detection of modification of registry key "Common Startup" located in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\" and "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\". When user logon, files in the Startup Folder are launched. Attacker may modify these forlders with other to evade detection set on these default folders. Detection focus at the same time on the EventID 4688 and 1 with the process creation and EventID 4657 for the modification of Registry Key. +description: Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. coverage: - technique: T1547 tactics: From 3c24e0f5ef3cfe652e3197ef8dcede05ff359a1e Mon Sep 17 00:00:00 2001 From: Ivan Kirillov Date: Wed, 26 Jan 2022 14:09:33 -0700 Subject: [PATCH 5/7] Removed source and event_log from splunk query --- analytics/CAR-2021-12-002.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml index 9f706636..8d77252f 100644 --- a/analytics/CAR-2021-12-002.yaml +++ b/analytics/CAR-2021-12-002.yaml @@ -28,7 +28,7 @@ implementations: - name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is a pseudocode representation of the below Splunk search. code: |- - (source="WinEventLog:*" EventLog="Security" ((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR (EventCode="4657" ObjectValueName="Common Startup")) + (((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR (EventCode="4657" ObjectValueName="Common Startup")) type: Splunk - name: Elastic Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is a pseudocode representation of the below Elastic search. From 25f978783fd482c06208646b79ab24ddbf132cf2 Mon Sep 17 00:00:00 2001 From: Ivan Kirillov Date: Wed, 26 Jan 2022 14:25:24 -0700 Subject: [PATCH 6/7] Added EID 13 sysmon detection to Splunk query --- analytics/CAR-2021-12-002.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml index 8d77252f..28ec7034 100644 --- a/analytics/CAR-2021-12-002.yaml +++ b/analytics/CAR-2021-12-002.yaml @@ -28,7 +28,7 @@ implementations: - name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is a pseudocode representation of the below Splunk search. code: |- - (((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR (EventCode="4657" ObjectValueName="Common Startup")) + (((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR ((EventCode="4657" ObjectValueName="Common Startup") OR (EventCode="13" TargetObject="*Common Startup"))) type: Splunk - name: Elastic Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is a pseudocode representation of the below Elastic search. From d5617eb8253b18ed26754e002820c9916f20a49c Mon Sep 17 00:00:00 2001 From: Ivan Kirillov Date: Tue, 1 Feb 2022 14:36:59 -0700 Subject: [PATCH 7/7] Added pseudocode + tweaked implementations --- analytics/CAR-2021-12-002.yaml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml index 28ec7034..00c0547f 100644 --- a/analytics/CAR-2021-12-002.yaml +++ b/analytics/CAR-2021-12-002.yaml @@ -25,20 +25,30 @@ coverage: - TA0005 coverage: Medium implementations: + - name: Common Startup Registry Key Modification + description: This detects modification of the `Common Startup` registry key value, either via a new process (command line) or direct registry manipulation. + code: |- + processes = search Process:create + logon_reg_processes = filter processes where (command_line CONTAINS("*reg*") AND command_line CONTAINS("*add*") AND command_line CONTAINS("*/d*") OR (command_line CONTAINS("*Set-ItemProperty*") AND command_line CONTAINS("*-value*")) AND command_line CONTAINS("*Common Startup*")) + reg_keys = search Registry:value_edit + logon_reg_keys = filter reg_keys where value="Common Startup" + output logon_reg_processes, logon_reg_keys + data_model: CAR native + type: Pseudocode - name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup" - description: This is a pseudocode representation of the below Splunk search. + description: This is a Splunk representation of the above pseudocode search. code: |- (((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR ((EventCode="4657" ObjectValueName="Common Startup") OR (EventCode="13" TargetObject="*Common Startup"))) type: Splunk - name: Elastic Search - Modification of default Startup Folder in the Registry Key "Common Startup" - description: This is a pseudocode representation of the below Elastic search. + description: This is an ElasticSeearech representation of the above pseudocode search. code: |- - ((EventLog:"Security" AND (winlog.event_id:"4688" OR winlog.event_id:"1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup")) + ((EventLog:"Security" AND (winlog.event_id:"4688" OR winlog.event_id:"1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup") OR (winlog.event_id:"13" AND winlog.event_data.TargetObject:"*Common Startup")) type: Elastic - name: LogPoint Search - Modification of default Startup Folder in the Registry Key "Common Startup" - description: This is a pseudocode representation of the below LogPoint search. + description: This is a LogPoint representation of the above pseudocode search. code: |- - ((EventLog="Security" (event_id="4688" OR event_id="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup")) + ((EventLog="Security" (event_id="4688" OR event_id="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup") OR (event_id="13" TargetObject="*Common Startup")) type: LogPoint unit_tests: - description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon