Create proc_creation_win_reg_add_AutoAdminLogon_key.yml

[Mahir-Ali-khan]

Summary of the Pull Request

Detects the modification of registry values DefaultUserName,DefaultPassword and AutoAdminLogon to enable automatic logon. Attacker use this technique to achieve persistence.

Changelog

Example Log Event

Process Create: RuleName: - UtcTime: 2024-10-16 11:02:12.493 ProcessGuid: {c419c85b-9d34-670f-8328-000000004700} ProcessId: 12348 Image: C:\Windows\System32\reg.exe FileVersion: 10.0.22621.1 (WinBuild.160101.0800) Description: Registry Console Tool Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: reg.exe CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f CurrentDirectory: C:\Users\user
User: XXXXXXXXXX\XXXXXXXX LogonGuid: {c419c85b-9d89-670c-8fed-187f00000000} LogonId: 0xF17ED8F TerminalSessionId: 2 IntegrityLevel: Medium Hashes: MD5=CDB58D0BCABE76AFC60428F364834463,SHA256=411AE446FE37B30C0727888C7FA5E88994A46DAFD41AA5B3B06C9E884549AFDE,IMPHASH=1085BD82B37A225F6D356012D2E69C3D ParentProcessGuid: {c419c85b-8ebb-670f-4827-000000004700} ParentProcessId: 21116 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\WINDOWS\system32\cmd.exe" ParentUser: XXXXXXXXXX\XXXXXXXX

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions