Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

Read More

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

Read More

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

Read More

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.

Read More

Detects the import of the specified file to the registry with regedit.exe.

Read More

Detects the import of a alternate datastream to the registry with regedit.exe.

Read More

Detects the presence of a registry key created during Azorult execution

Read More

Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.

Read More

Detects actions that clear the local ShimCache and remove forensic evidence

Read More

Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.

Read More

Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys

Read More

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

Read More

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

Below is a list of registry keys/values that are monitored by this rule:

• Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
• DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
• DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
• fAllowUnsolicited: Allows unsolicited remote assistance offers.
• fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
• InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
• ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
• SecurityLayer: Specifies the security layer used for RDP connections.

Read More

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.

Read More

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.

Read More

Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.

Read More

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

Read More

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

Read More

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

Read More

Detects registry keys related to Ursnif malware.

Read More

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence

Read More

Attempts to detect system changes made by Blue Mockingbird

Read More

Detects registry keys related to NetWire RAT

Read More

Detect set Notification_Suppress to 1 to disable the Windows security center notification

Read More

Detect set DisallowRun to 1 to prevent user running specific computer program

Read More

Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.

Read More

Attempts to detect system changes made by Blue Mockingbird

Read More

Detect possible persistence using Fax DLL load when service restart

Read More

Detect change of the user account associated with the FAX service to avoid the escalation problem.

Read More

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

Read More

Detects disabling the CrashDump per registry (as used by HermeticWiper)

Read More

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Read More

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Read More

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Read More

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Read More

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Read More

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

Read More

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

Read More

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

Read More

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Read More

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

Read More

Detects NetNTLM downgrade attack

Read More

Detects NetNTLM downgrade attack

Read More

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

Read More

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

Read More

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

Read More

Detects registry keys created in OceanLotus (also known as APT32) attacks

Read More

Detects OilRig activity as reported by Nyotron in their March 2018 report

Read More

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Read More

Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.

Read More

Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.

Read More

Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".

Read More

Detects a registry key used by IceID in a campaign that distributes malicious OneNote files

Read More

Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.

Read More

Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility

Read More

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Read More

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Read More

Detects actions caused by the RedMimicry Winnti playbook

Read More

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

Read More

Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)

Read More

Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)

Read More

Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.

Read More

Detects remote RPC calls to modify the registry and possible execute code

Read More

Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.

Read More

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Read More

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Read More

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

Read More

This rule detects the execution of Run Once task as configured in the registry

Read More

Detects attempts to disable security event logging by adding the MiniNt registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.

Read More

Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.

Read More

Detect the creation of a service with a service binary located in a suspicious directory

Read More

Potential threat actor tampering with Sysmon manifest and eventually disabling it

Read More

Detects the deletion of registry keys containing the MSTSC connection history

Read More

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

Read More

Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.

Read More

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

Read More

Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".

Read More

Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.

Read More

Detects potential registry persistence technique using the Event Viewer "Events.asp" technique

Read More

Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users

Read More

Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host

Read More