From b97e58767320c5ffbd99157ccd3af6c03c50f00c Mon Sep 17 00:00:00 2001 From: MahirAli Khan Date: Wed, 16 Oct 2024 16:38:13 +0530 Subject: [PATCH 1/5] Create proc_creation_win_reg_add_AutoAdminLogon_key.yml --- ...reation_win_reg_add_AutoAdminLogon_key.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_AutoAdminLogon_key.yml diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_AutoAdminLogon_key.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_AutoAdminLogon_key.yml new file mode 100644 index 00000000000..f4b765a81c2 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_AutoAdminLogon_key.yml @@ -0,0 +1,29 @@ +title: Detect modification of AutoLogon and Default credential registry +id: ecd4968d-3cea-4626-a6ef-84e4e50fd415 +status: experimental +description: Detects the modification of registry values DefaultUserName,DefaultPassword and AutoAdminLogon to enable automatic logon.Attacker use this technique to achieve persistence. +references: + - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware +author: MahirAli Khan (in/mahiralikhan) +date: 2024-10-16 +tags: + - attack.persistence + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'reg' + - 'add' + - 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' + options: + CommandLine|contains: + - 'DefaultUserName' + - 'DefaultPassword' + - 'AutoAdminLogon' + condition: selection and options +falsepositives: + - Legitimate system administrators modifying registry settings for automatic logon. +level: medium From f5cf79aa7774f7b06e1c06ff18cc30b23eae89ff Mon Sep 17 00:00:00 2001 From: MahirAli Khan Date: Tue, 22 Oct 2024 10:51:03 +0530 Subject: [PATCH 2/5] Update and rename proc_creation_win_reg_add_AutoAdminLogon_key.yml to proc_creation_win_reg_add_autoadminlogon_key.yml --- ...key.yml => proc_creation_win_reg_add_autoadminlogon_key.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules-threat-hunting/windows/process_creation/{proc_creation_win_reg_add_AutoAdminLogon_key.yml => proc_creation_win_reg_add_autoadminlogon_key.yml} (92%) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_AutoAdminLogon_key.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml similarity index 92% rename from rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_AutoAdminLogon_key.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml index f4b765a81c2..1d3f045c111 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_AutoAdminLogon_key.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml @@ -1,4 +1,4 @@ -title: Detect modification of AutoLogon and Default credential registry +title: Detect modification of AutoAdminLogon and Default credential registry id: ecd4968d-3cea-4626-a6ef-84e4e50fd415 status: experimental description: Detects the modification of registry values DefaultUserName,DefaultPassword and AutoAdminLogon to enable automatic logon.Attacker use this technique to achieve persistence. From dc571726401594e4f42c4ea474cf003ec3bcedcc Mon Sep 17 00:00:00 2001 From: MahirAli Khan Date: Wed, 6 Nov 2024 18:18:38 +0530 Subject: [PATCH 3/5] Update proc_creation_win_reg_add_autoadminlogon_key.yml --- .../proc_creation_win_reg_add_autoadminlogon_key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml index 1d3f045c111..c5eac96ed55 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml @@ -1,4 +1,4 @@ -title: Detect modification of AutoAdminLogon and Default credential registry +title: Detect modification of AutoAdminLogon id: ecd4968d-3cea-4626-a6ef-84e4e50fd415 status: experimental description: Detects the modification of registry values DefaultUserName,DefaultPassword and AutoAdminLogon to enable automatic logon.Attacker use this technique to achieve persistence. From beb41ca168397c6bd898db515371cf1fd19d30f8 Mon Sep 17 00:00:00 2001 From: MahirAli Khan Date: Tue, 12 Nov 2024 10:54:19 +0530 Subject: [PATCH 4/5] Update proc_creation_win_reg_add_autoadminlogon_key.yml --- .../proc_creation_win_reg_add_autoadminlogon_key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml index c5eac96ed55..a1b34ba7ebc 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml @@ -1,4 +1,4 @@ -title: Detect modification of AutoAdminLogon +title: Detect Modification of AutoAdminLogon id: ecd4968d-3cea-4626-a6ef-84e4e50fd415 status: experimental description: Detects the modification of registry values DefaultUserName,DefaultPassword and AutoAdminLogon to enable automatic logon.Attacker use this technique to achieve persistence. From 71454a515fdb5d20e15612bedd2c4b4e2f2c5235 Mon Sep 17 00:00:00 2001 From: MahirAli Khan Date: Wed, 27 Nov 2024 11:15:40 +0530 Subject: [PATCH 5/5] Update rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../proc_creation_win_reg_add_autoadminlogon_key.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml index a1b34ba7ebc..fd667382a9a 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_reg_add_autoadminlogon_key.yml @@ -13,17 +13,17 @@ logsource: category: process_creation product: windows detection: - selection: + selection_reg: CommandLine|contains|all: - 'reg' - 'add' - 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - options: + selection_options: CommandLine|contains: - 'DefaultUserName' - 'DefaultPassword' - 'AutoAdminLogon' - condition: selection and options + condition: all of selection_* falsepositives: - Legitimate system administrators modifying registry settings for automatic logon. level: medium