sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

"Disable Security Events Logging Adding Reg Key MiniNt" sysmon field name issue

Open tmcgahan opened this issue 3 years ago • 4 comments

https://github.com/SigmaHQ/sigma/blob/7fb8272f948cc0b528fe7bd36df36449f74b2266/rules/windows/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml

Currently, it seems that the sysmon field "NewName" doesn't interact well with "Details" and results in a "Incorrect Field Details" error when validating a sysmon configuration that uses "NewName".

(see my MS forums post https://docs.microsoft.com/en-us/answers/questions/778306/sysmon-details-incorrect-field-details.html)

Will changing "NewName" to "Details" corrupt this rule?

Thanks!!!

@frack113

tmcgahan avatar Mar 18 '22 19:03 tmcgahan

@tmcgahan yes as we search the key (NewName) not the value (Details) .

But can change the rule a little

First shoot

# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
  selection_12:
    EventType: 'CreateKey'
    TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
  selection_13:
    EventType: 'SetValue'
    TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
  selection_14:
    EventType: 'RenameKey'
    NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
  condition: 1 of selection_*

Some optimisation

# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
  selection_12_13:
    EventType: 
      - 'CreateKey'
      - 'SetValue'
    TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
  selection_14:
    EventType: 'RenameKey'
    NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
  condition: 1 of selection_*

From the Twitter ref 'SetValue' is not usefull, as "If you add [...]" . So just need 'CreateKey' but 'RenameKey' is fine too

# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
  selection_12:
    EventType: 'CreateKey'
    TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
  selection_14:
    EventType: 'RenameKey'
    NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
  condition: 1 of selection_*

frack113 avatar Mar 19 '22 08:03 frack113

The Sysmon part :

image

image

image

frack113 avatar Mar 19 '22 08:03 frack113

@frack113 you're the best! Thanks!

tmcgahan avatar Mar 21 '22 16:03 tmcgahan

Goop optimization, but for some reason, using NewName still gives me the error I spoke of in my Microsoft forums post (link above). Unfortunate.

tmcgahan avatar Mar 21 '22 17:03 tmcgahan

@tmcgahan can close it ?

frack113 avatar Dec 26 '22 09:12 frack113