-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathBIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.bioc
2 lines (2 loc) · 2.87 KB
/
BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.bioc
1
2
1acee50b1a695f3f38e17f3696b8aa47
[{"rule_id":520,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1650371481298,"modify_time":1650371613163,"severity":"SEV_030_MEDIUM","source":"frank.bussink@scrt.ch","comment":"SCRT switzerland - k4nfr3 - 19\/04\/2022\nFollowing Mr D0x research : https:\/\/mrd0x.com\/cortex-xdr-analysis-and-bypass\/\nit requires privilege and a reboot.\nThis is until PAN will provide real signature","status":"ENABLED","category":"EVASION","indicator":{"runOnCGO":true,"investigationType":"REGISTRY_EVENT","investigation":{"REGISTRY_EVENT":{"filter":{"AND":[{"SEARCH_FIELD":"agent_os_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":1,"EXTRA_FIELDS":[],"isExtended":false,"node":"xdr_agent"},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"4","isExtended":false},{"SEARCH_FIELD":"action_registry_value_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"ServiceDll","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"},{"SEARCH_FIELD":"action_registry_data","SEARCH_TYPE":"REGEX_NOT","SEARCH_VALUE":"cryptsvc.dll","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"},{"SEARCH_FIELD":"action_registry_key_name","SEARCH_TYPE":"REGEX","SEARCH_VALUE":"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet\\d\\d\\d\\\\Services\\\\CryptSvc\\\\Parameters","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"}]}}}},"indicator_md5":"0186f58365c1a1c03da6e6ec2d052093","indicator_text":"Registry registry data !=~ cryptsvc.dll AND registry key name =~ HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet\\d\\d\\d\\\\Services\\\\CryptSvc\\\\Parameters AND registry value name = ServiceDll AND action type = set_registry_value Host host os = windows","name":"SCRT-Mr-D0x-XDR-Disable-chg-registry-value","mitre_technique_id_and_name":"T1562.001 - Impair Defenses: Disable or Modify Tools","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"T1562.001","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SCRT-Mr-D0x-XDR-Disable-chg-registry-value","tactic_id":[],"technique_id":["T1562.001"],"biocRuleName":"SCRT-Mr-D0x-XDR-Disable-chg-registry-value","biocId":520,"additionalData":"{}"}}},"rule_data":"(deftemplate registry_operation_520 (slot cid)) (defrule registry_operation_520 (registry_operation (hive ?hive) (sub_type ?sub_type) (key_name ?key_name) (value ?value) (cid ?cid) (value_name ?value_name &: (and (eq ?sub_type ?*reg_set_value*) (eq ?value_name \"servicedll\") (not (regex ?value \"cryptsvc.dll\" 0)) (and (regex ?key_name \"\\\\system\\\\\\\\controlset\\\\d\\\\d\\\\d\\\\\\\\services\\\\\\\\cryptsvc\\\\\\\\parameters\" 0) (eq ?hive ?*hklm*))))) (not (registry_operation_520 (cid ?cid))) => (assert (registry_operation_520 (cid ?cid))))"}},"btp_rule_name":"registry_operation_520","is_preventable":1,"supported_os":1,"btp_validation_error":"WINDOWS_SUPPORT_ONLY","xql":null,"is_xql":false,"query_tables":null}]