Atomic T1548.002 Add new registry keys

Open frack113 opened this issue 1 year ago • 0 comments

Summary of the Pull Request

Add new test 24 and 25 from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md

Changelog

update: Disable UAC Using Registry - Add more registry key

Example Log Event

<EventData>
  <Data Name="RuleName">technique_id=T1548.002,technique_name=Bypass User Access Control</Data> 
  <Data Name="EventType">SetValue</Data> 
  <Data Name="UtcTime">2024-05-05 09:37:36.598</Data> 
  <Data Name="ProcessGuid">{095b1fc8-535e-6637-f101-000000002500}</Data> 
  <Data Name="ProcessId">4440</Data> 
  <Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data> 
  <Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop</Data> 
  <Data Name="Details">DWORD (0x00000000)</Data> 
  <Data Name="User">LAB\admin</Data> 
  </EventData>

<EventData>
  <Data Name="RuleName">technique_id=T1548.002,technique_name=Bypass User Access Control</Data> 
  <Data Name="EventType">SetValue</Data> 
  <Data Name="UtcTime">2024-05-05 09:30:28.116</Data> 
  <Data Name="ProcessGuid">{095b1fc8-51b4-6637-d601-000000002500}</Data> 
  <Data Name="ProcessId">2888</Data> 
  <Data Name="Image">C:\WINDOWS\system32\reg.exe</Data> 
  <Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Security Center\UACDisableNotify</Data> 
  <Data Name="Details">DWORD (0x00000001)</Data> 
  <Data Name="User">LAB\admin</Data> 
  </EventData>

Fixed Issues

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

$frack113 avatar$ May 05 '24 10:05 frack113