Skip to content

Commit

Permalink
Merge pull request SigmaHQ#2279 from frack113/malware
Browse files Browse the repository at this point in the history 
Add sysmon_win_reg_persistence_recycle_bin.yml
  • Loading branch information
@frack113
frack113 authored Nov 19, 2021
2 parents 264db60 + 8176d9b commit 13099ea
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions rules/windows/registry_event/sysmon_win_reg_persistence_recycle_bin.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
title: Registry Persistence Mechanisms in Recycle Bin
id: 277efb8f-60be-4f10-b4d3-037802f37167
description: Detects persistence registry keys for Recycle Bin
references:
- https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
date: 2021/11/18
author: frack113
logsource:
category: registry_event
product: windows
detection:
Create_key:
EventType: RenameKey
NewName: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open
Set_key:
EventType: SetValue
TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)
condition: Create_key or Set_key
tags:
- attack.persistence
- attack.t1547
falsepositives:
- unknown
level: critical

0 comments on commit 13099ea

Please sign in to comment.