Merge pull request SigmaHQ#4381 from frack113/refractor_registry_set

Refractor registry_set  rules

deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml

@@ -9,7 +9,7 @@ references:
     - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
 author: Sreeman
 date: 2020/09/29
-modified: 2022/12/19
+modified: 2023/08/17
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -20,7 +20,6 @@ logsource:
     category: registry_set
 detection:
     selection:
-        EventType: SetValue
         TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
         Details|endswith:
             - '.sh'

deprecated/windows/registry_set_add_hidden_user.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
 author: frack113
 date: 2022/08/20
-modified: 2023/01/26
+modified: 2023/08/17
 tags:
     - attack.defense_evasion
     - attack.t1564.002
@@ -15,7 +15,6 @@ logsource:
     category: registry_set
 detection:
     selection:
-        EventType: SetValue
         TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\'
         TargetObject|endswith: '$'
         Details: DWORD (0x00000000)

deprecated/windows/registry_set_disable_microsoft_office_security_features.yml

@@ -8,7 +8,7 @@ references:
     - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
 author: frack113
 date: 2021/06/08
-modified: 2023/06/21
+modified: 2023/08/17
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -23,7 +23,6 @@ logsource:
     # <TargetObject name="T1562,office" condition="end with">\DisableAttachementsInPV</TargetObject>
 detection:
     selection:
-        EventType: SetValue
         TargetObject|contains: '\SOFTWARE\Microsoft\Office\'
         TargetObject|endswith:
             - VBAWarnings

deprecated/windows/registry_set_office_security.yml

@@ -8,7 +8,7 @@ references:
     - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
 author: Trent Liffick (@tliffick)
 date: 2020/05/22
-modified: 2023/06/21
+modified: 2023/08/17
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -17,7 +17,6 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: Setvalue
         TargetObject|endswith:
             - '\Security\Trusted Documents\TrustRecords'
             - '\Security\AccessVBOM'

deprecated/windows/registry_set_silentprocessexit.yml

@@ -7,7 +7,7 @@ references:
     - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
 author: Florian Roth (Nextron Systems)
 date: 2021/02/26
-modified: 2022/12/19
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1546.012
@@ -16,7 +16,6 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue
         TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
         Details|contains: 'MonitorProcess'
     condition: selection

rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -7,7 +7,7 @@ references:
     - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
 author: Sittikorn S, frack113
 date: 2021/07/16
-modified: 2022/08/23
+modified: 2023/08/17
 tags:
     - attack.credential_access
     - attack.t1566
@@ -21,7 +21,6 @@ logsource:
     category: registry_set
 detection:
     selection:
-        EventType: SetValue
         TargetObject|endswith:
             - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
             - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)

rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml

@@ -6,6 +6,7 @@ references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/19
+modified: 2023/08/17
 tags:
     - attack.persistence
     - detection.emerging_threats
@@ -14,7 +15,6 @@ logsource:
     product: windows
 detection:
     selection_path:
-        EventType: SetValue
         TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Run\'
     selection_value:
         - TargetObject|contains: 'Microsift'

rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml

@@ -6,6 +6,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/04/05
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1137
@@ -22,7 +23,6 @@ detection:
         TargetObject|contains:
             - '\Tasks\'
             - '\Notes\'
-        EventType: SetValue
     condition: selection
 falsepositives:
     - Legitimate reminders received for a task or a note will also trigger this rule.

rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml

@@ -6,6 +6,7 @@ references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/02
+modified: 2023/08/17
 tags:
     - attack.persistence
     - detection.emerging_threats
@@ -14,7 +15,6 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue
         TargetObject|contains|all:
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-'
             - '\ProfileImagePath'

rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml

@@ -6,6 +6,7 @@ references:
     - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/10
+modified: 2023/08/17
 tags:
     - attack.persistence
     - detection.emerging_threats
@@ -14,7 +15,6 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue
         TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'
     filter_main_wav:
         - TargetObject|endswith: '.AssocFile.WAV'

rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml

@@ -9,6 +9,7 @@ references:
     - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/21
+modified: 2023/08/17
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -18,7 +19,6 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: Setvalue
         TargetObject|contains: 'Security\Trusted Locations\Location'
         TargetObject|endswith: '\Path'
     condition: selection

rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml

@@ -7,7 +7,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
 author: frack113
 date: 2022/04/04
-modified: 2022/06/26
+modified: 2023/08/17
 tags:
     - attack.defense_evasion
     - attack.t1564.001
@@ -16,7 +16,6 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: Setvalue
         TargetObject|startswith:
             - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\'
             - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\'

rules/windows/registry/registry_set/registry_set_add_port_monitor.yml

@@ -8,7 +8,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
 author: frack113
 date: 2021/12/30
-modified: 2022/09/18
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1547.010
@@ -19,7 +19,6 @@ detection:
     selection:
         TargetObject|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Monitors\'
         Details|endswith: '.dll'
-        EventType: SetValue
     filter_cutepdf:
         Image: 'C:\Windows\System32\spoolsv.exe'
         TargetObject|contains: '\System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver'

rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml

@@ -7,14 +7,14 @@ references:
     - https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/21
+modified: 2023/08/17
 tags:
     - attack.persistence
 logsource:
     category: registry_set
     product: windows
 detection:
     selection:
-        EventType: SetValue
         TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger'
         Details|endswith: '.dll'
     filter:

rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml

@@ -6,6 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 author: frack113
 date: 2022/08/19
+modified: 2023/08/17
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -14,7 +15,6 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue
         TargetObject|endswith: 'System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp'
         Details: DWORD (0x00000001)
     condition: selection

rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml

@@ -7,6 +7,7 @@ references:
     - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/04
+modified: 2023/08/17
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -15,7 +16,6 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue
         TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
     filter:
         Details: '%windir%\system32\amsi.dll'

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml

@@ -11,7 +11,7 @@ references:
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2023/01/18
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
     product: windows
 detection:
     selection_classes_base:
-        EventType: SetValue
         TargetObject|contains: '\Software\Classes'
     selection_classes_target:
         TargetObject|contains:

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml

@@ -12,7 +12,7 @@ references:
     - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
 date: 2019/10/25
-modified: 2023/03/24
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -21,7 +21,6 @@ logsource:
     product: windows
 detection:
     main_selection:
-        EventType: SetValue
         TargetObject|contains:
             - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
             - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml

@@ -11,7 +11,7 @@ references:
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/09/20
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
     product: windows
 detection:
     system_control_base:
-        EventType: SetValue
         TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
     system_control_keys:
         TargetObject|contains:

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml

@@ -12,7 +12,7 @@ references:
     - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/10/20
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -21,7 +21,6 @@ logsource:
     product: windows
 detection:
     current_version_base:
-        EventType: SetValue
         TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
     current_version_keys:
         TargetObject|contains:

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml

@@ -11,7 +11,7 @@ references:
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/07/05
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
     product: windows
 detection:
     nt_current_version_base:
-        EventType: SetValue
         TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
     nt_current_version:
         TargetObject|contains:

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml

@@ -11,7 +11,7 @@ references:
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
     product: windows
 detection:
     ie:
-        EventType: SetValue
         TargetObject|contains:
             - '\Software\Wow6432Node\Microsoft\Internet Explorer'
             - '\Software\Microsoft\Internet Explorer'

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml

@@ -11,7 +11,7 @@ references:
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2023/02/17
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -20,7 +20,6 @@ logsource:
     product: windows
 detection:
     office:
-        EventType: SetValue
         TargetObject|contains:
             - '\Software\Wow6432Node\Microsoft\Office'
             - '\Software\Microsoft\Office'

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml

@@ -11,7 +11,7 @@ references:
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2023/08/17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -21,7 +21,6 @@ logsource:
     product: windows
 detection:
     session_manager_base:
-        EventType: SetValue
         TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
     session_manager:
         TargetObject|contains: