Techniques
Sample rules
Powershell Timestomp
- source: sigma
- technicques:
- t1070
- t1070.006
Description
Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
Detection logic
condition: selection_ioc
selection_ioc:
ScriptBlockText|contains:
- .CreationTime =
- .LastWriteTime =
- .LastAccessTime =
- '[IO.File]::SetCreationTime'
- '[IO.File]::SetLastAccessTime'
- '[IO.File]::SetLastWriteTime'
Registry Hide Function from User
- source: sigma
- technicques:
- t1112
Description
Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
Detection logic
condition: 1 of selection_set_*
selection_set_0:
Details: DWORD (0x00000000)
TargetObject|endswith:
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
selection_set_1:
Details: DWORD (0x00000001)
TargetObject|endswith:
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume
Registry Explorer Policy Modification
- source: sigma
- technicques:
- t1112
Description
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
Detection logic
condition: selection_set_1
selection_set_1:
Details: DWORD (0x00000001)
TargetObject|endswith:
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu
Disable Privacy Settings Experience in Registry
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects registry modifications that disable Privacy Settings Experience
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|endswith: \SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience
Disable Internal Tools or Feature in Registry
- source: sigma
- technicques:
- t1112
Description
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
Detection logic
condition: 1 of selection_set_*
selection_set_0:
Details: DWORD (0x00000000)
TargetObject|endswith:
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
- Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon
- SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled
- SYSTEM\CurrentControlSet\Control\Storage\Write Protection
- SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect
selection_set_1:
Details: DWORD (0x00000001)
TargetObject|endswith:
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL
- SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter
- SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD