Find sigma rule

Attack: Query Registry

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

MITRE

Tactic

reconnaissance
discovery

technique

T1592.002
T1012

Test : Enumerate COM Objects in Registry with Powershell

OS

windows

Description:

This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file. An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. See: https://www.mandiant.com/resources/hunting-com-objects

Executor

powershell

Sigma Rule

posh_ps_susp_recon_export.yml (id: a9723fcc-881c-424c-8709-fd61442ab3c3)
posh_ps_susp_directory_enum.yml (id: 162e69a7-7981-4344-84a9-0f1c9a217a52)
registry_set_persistence_office_vsto.yml (id: 9d15044a-7cfe-4d23-8085-6ebc11df7685)
registry_set_asep_reg_keys_modification_office.yml (id: baecf8fb-edbf-429f-9ade-31fc3f22b970)
net_connection_win_office_outbound_non_local_ip.yml (id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84)
image_load_office_vbadll_load.yml (id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9)
proc_creation_win_susp_ntfs_short_name_path_use_cli.yml (id: 349d891d-fef0-4fe4-bc53-eee623a15969)
proc_creation_win_susp_ntfs_short_name_path_use_image.yml (id: a96970af-f126-420d-90e1-d37bf25e50e1)
file_event_win_office_outlook_newform.yml (id: c3edc6a5-d9d4-48d8-930e-aab518390917)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test