legitimate admin script

Techniques

Sample rules

Disable Internal Tools or Feature in Registry

source: sigma
technicques:
- t1112

Description

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Detection logic

condition: 1 of selection_set_*
selection_set_0:
  Details: DWORD (0x00000000)
  TargetObject|endswith:
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon
  - SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled
  - SYSTEM\CurrentControlSet\Control\Storage\Write Protection
  - SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect
selection_set_1:
  Details: DWORD (0x00000001)
  TargetObject|endswith:
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL
  - SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter
  - SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD

Disable Privacy Settings Experience in Registry

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects registry modifications that disable Privacy Settings Experience

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000000)
  TargetObject|endswith: \SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience

Registry Hide Function from User

source: sigma
technicques:
- t1112

Description

Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)

Detection logic

condition: 1 of selection_set_*
selection_set_0:
  Details: DWORD (0x00000000)
  TargetObject|endswith:
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
selection_set_1:
  Details: DWORD (0x00000001)
  TargetObject|endswith:
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume

Registry Explorer Policy Modification

source: sigma
technicques:
- t1112

Description

Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)

Detection logic

condition: selection_set_1
selection_set_1:
  Details: DWORD (0x00000001)
  TargetObject|endswith:
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments
  - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu

Powershell Timestomp

source: sigma
technicques:
- t1070
- t1070.006

Description

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

Detection logic

condition: selection_ioc
selection_ioc:
  ScriptBlockText|contains:
  - .CreationTime =
  - .LastWriteTime =
  - .LastAccessTime =
  - '[IO.File]::SetCreationTime'
  - '[IO.File]::SetLastAccessTime'
  - '[IO.File]::SetLastWriteTime'