Rules Contributing to Suspicious Windows Registry Event: Persistence Alert

The following rules are used to identify suspicious Windows registry events usually in the persistence stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Persistence Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Potential Persistence Via Microsoft office Add-in

Detect potential persistence via the creation of a Microsoft office add-in file to make it run automatically.

More details

Rule ID

windows_registry_set_2

Query

{'selection1': {'TargetObject|contains': ['\\Software\\Microsoft\\Office\\']}, 'selection2': {'TargetObject|contains': ['\\Excel\\Options\\OPEN'], 'Details|startswith': '/R ', 'Details|endswith': '.xll'}, 'selection3': {'TargetObject|contains|all': ['\\PowerPoint\\AddIns', '\\Path'], 'Details|endswith': '.ppam'}, 'condition': 'selection1 and (selection2 or selection3)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring registry events

Rule Source

SigmaHQ,961e33d1-4f86-4fcf-80ab-930a708b2f82

Author: frack113

Tactics, Techniques, and Procedures

PERSISTENCE, T1137.006

References

Severity

Suppression Logic Based On

computer_name
event_data.TargetObject
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2023/01/15	high	Unknown