Rules Contributing to Suspicious Windows Registry Event: Persistence Alert
The following rules are used to identify suspicious Windows registry events usually in the persistence stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Persistence Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Potential Persistence Via Microsoft office Add-in |
Detect potential persistence via the creation of a Microsoft office add-in file to make it run automatically. More details
Rule IDQuery{'selection1': {'TargetObject|contains': ['\\Software\\Microsoft\\Office\\']}, 'selection2': {'TargetObject|contains': ['\\Excel\\Options\\OPEN'], 'Details|startswith': '/R ', 'Details|endswith': '.xll'}, 'selection3': {'TargetObject|contains|all': ['\\PowerPoint\\AddIns', '\\Path'], 'Details|endswith': '.ppam'}, 'condition': 'selection1 and (selection2 or selection3)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,961e33d1-4f86-4fcf-80ab-930a708b2f82 Author: frack113 Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|