Merge pull request #549 from Yamato-Security/476-sysmon-registry-conv…

…ersion

feat: Sysmon registry rule conversion

sigma/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml

@@ -20,8 +20,8 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        EventType: CreateKey
-        TargetObject|contains: \Software\Sysinternals\SDelete
+        OperationType: '%%1904'
+        ObjectName|contains: \Software\Sysinternals\SDelete
     condition: registry_add and selection
 falsepositives:
     - Unknown

sigma/builtin/deprecated/registry_event_asep_reg_keys_modification.yml

@@ -19,7 +19,7 @@ detection:
         EventID: 4657
         Channel: Security
     main_selection:
-        TargetObject|contains:
+        ObjectName|contains:
             - \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart
             - \Software\Wow6432Node\Microsoft\Command Processor\Autorun
             - \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
@@ -39,19 +39,19 @@ detection:
             - \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
             - \Control Panel\Desktop\Scrnsave.exe
     session_manager_base:
-        TargetObject|contains: \System\CurrentControlSet\Control\Session Manager
+        ObjectName|contains: \System\CurrentControlSet\Control\Session Manager
     session_manager:
-        TargetObject|contains:
+        ObjectName|contains:
             - \SetupExecute
             - \S0InitialCommand
             - \KnownDlls
             - \Execute
             - \BootExecute
             - \AppCertDlls
     current_version_base:
-        TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion
+        ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion
     current_version:
-        TargetObject|contains:
+        ObjectName|contains:
             - \ShellServiceObjectDelayLoad
             - \Run
             - \Policies\System\Shell
@@ -69,9 +69,9 @@ detection:
             - \Authentication\Credential Providers
             - \Authentication\Credential Provider Filters
     nt_current_version_base:
-        TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion
+        ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion
     nt_current_version:
-        TargetObject|contains:
+        ObjectName|contains:
             - \Winlogon\VmApplet
             - \Winlogon\Userinit
             - \Winlogon\Taskman
@@ -87,9 +87,9 @@ detection:
             - \Windows\Run
             - \Windows\Load
     wow_current_version_base:
-        TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
+        ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
     wow_current_version:
-        TargetObject|contains:
+        ObjectName|contains:
             - \ShellServiceObjectDelayLoad
             - \Run
             - \Explorer\ShellServiceObjects
@@ -98,18 +98,18 @@ detection:
             - \Explorer\SharedTaskScheduler
             - \Explorer\Browser Helper Objects
     wow_nt_current_version_base:
-        TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion
+        ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion
     wow_nt_current_version:
-        TargetObject|contains:
+        ObjectName|contains:
             - \Windows\Appinit_Dlls
             - \Image File Execution Options
             - \Drivers32
     wow_office:
-        TargetObject|contains: \Software\Wow6432Node\Microsoft\Office
+        ObjectName|contains: \Software\Wow6432Node\Microsoft\Office
     office:
-        TargetObject|contains: \Software\Microsoft\Office
+        ObjectName|contains: \Software\Microsoft\Office
     wow_office_details:
-        TargetObject|contains:
+        ObjectName|contains:
             - \Word\Addins
             - \PowerPoint\Addins
             - \Outlook\Addins
@@ -118,18 +118,18 @@ detection:
             - \Access\Addins
             - test\Special\Perf
     wow_ie:
-        TargetObject|contains: \Software\Wow6432Node\Microsoft\Internet Explorer
+        ObjectName|contains: \Software\Wow6432Node\Microsoft\Internet Explorer
     ie:
-        TargetObject|contains: \Software\Microsoft\Internet Explorer
+        ObjectName|contains: \Software\Microsoft\Internet Explorer
     wow_ie_details:
-        TargetObject|contains:
+        ObjectName|contains:
             - \Toolbar
             - \Extensions
             - \Explorer Bars
     wow_classes_base:
-        TargetObject|contains: \Software\Wow6432Node\Classes
+        ObjectName|contains: \Software\Wow6432Node\Classes
     wow_classes:
-        TargetObject|contains:
+        ObjectName|contains:
             - \Folder\ShellEx\ExtShellFolderViews
             - \Folder\ShellEx\DragDropHandlers
             - \Folder\ShellEx\ColumnHandlers
@@ -143,9 +143,9 @@ detection:
             - \ShellEx\PropertySheetHandlers
             - \ShellEx\ContextMenuHandlers
     classes_base:
-        TargetObject|contains: \Software\Classes
+        ObjectName|contains: \Software\Classes
     classes:
-        TargetObject|contains:
+        ObjectName|contains:
             - \Folder\ShellEx\ExtShellFolderViews
             - \Folder\ShellEx\DragDropHandlers
             - \Folder\Shellex\ColumnHandlers
@@ -163,23 +163,23 @@ detection:
             - \ShellEx\PropertySheetHandlers
             - \ShellEx\ContextMenuHandlers
     scripts_base:
-        TargetObject|contains: \Software\Policies\Microsoft\Windows\System\Scripts
+        ObjectName|contains: \Software\Policies\Microsoft\Windows\System\Scripts
     scripts:
-        TargetObject|contains:
+        ObjectName|contains:
             - \Startup
             - \Shutdown
             - \Logon
             - \Logoff
     winsock_parameters_base:
-        TargetObject|contains: \System\CurrentControlSet\Services\WinSock2\Parameters
+        ObjectName|contains: \System\CurrentControlSet\Services\WinSock2\Parameters
     winsock_parameters:
-        TargetObject|contains:
+        ObjectName|contains:
             - \Protocol_Catalog9\Catalog_Entries
             - \NameSpace_Catalog5\Catalog_Entries
     system_control_base:
-        TargetObject|contains: \SYSTEM\CurrentControlSet\Control
+        ObjectName|contains: \SYSTEM\CurrentControlSet\Control
     system_control:
-        TargetObject|contains:
+        ObjectName|contains:
             - \Terminal Server\WinStations\RDP-Tcp\InitialProgram
             - \Terminal Server\Wds\rdpwd\StartupPrograms
             - \SecurityProviders\SecurityProviders
@@ -191,9 +191,9 @@ detection:
             - \Lsa\Authentication Packages
             - \BootVerificationProgram\ImagePath
     filter:
-        -   Details: (Empty)
-        -   TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount
-        -   Image: C:\WINDOWS\System32\svchost.exe
+        -   NewValue: (Empty)
+        -   ObjectName|endswith: \NgcFirst\ConsecutiveSwitchCount
+        -   ProcessName: C:\WINDOWS\System32\svchost.exe
     condition: registry_event and (( main_selection or session_manager_base and session_manager
         or current_version_base and current_version or nt_current_version_base and
         nt_current_version or wow_current_version_base and wow_current_version or

sigma/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml

@@ -29,8 +29,8 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|contains: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\
-        Details|endswith:
+        ObjectName|contains: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\
+        NewValue|endswith:
             - .sh
             - .exe
             - .dll
@@ -46,10 +46,10 @@ detection:
             - .vbs
     condition: registry_set and selection
 fields:
+    - ObjectName
+    - NewValue
     - EventID
     - CommandLine
-    - TargetObject
-    - Details
 falsepositives:
     - Unknown
 level: high

sigma/builtin/deprecated/registry_set_add_hidden_user.yml

@@ -19,9 +19,9 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\
-        TargetObject|endswith: $
-        Details: DWORD (0x00000000)
+        ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\
+        ObjectName|endswith: $
+        NewValue: DWORD (0x00000000)
     condition: registry_set and selection
 falsepositives:
     - Unknown

sigma/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml

@@ -21,13 +21,13 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|contains: \SOFTWARE\Microsoft\Office\
-        TargetObject|endswith:
+        ObjectName|contains: \SOFTWARE\Microsoft\Office\
+        ObjectName|endswith:
             - VBAWarnings
             - DisableInternetFilesInPV
             - DisableUnsafeLocationsInPV
             - DisableAttachementsInPV
-        Details: DWORD (0x00000001)
+        NewValue: DWORD (0x00000001)
     condition: registry_set and selection
 falsepositives:
     - Unknown

sigma/builtin/deprecated/registry_set_office_security.yml

@@ -21,7 +21,7 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|endswith:
+        ObjectName|endswith:
             - \Security\Trusted Documents\TrustRecords
             - \Security\AccessVBOM
             - \Security\VBAWarnings

sigma/builtin/deprecated/registry_set_silentprocessexit.yml

@@ -20,8 +20,8 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit
-        Details|contains: MonitorProcess
+        ObjectName|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit
+        NewValue|contains: MonitorProcess
     condition: registry_set and selection
 falsepositives:
     - Unknown

sigma/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -24,11 +24,11 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|endswith:
+        ObjectName|endswith:
             - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
             - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
     filter:
-        Details|endswith:
+        NewValue|endswith:
             - system32\wbem\wmiutils.dll
             - system32\wbem\wbemsvc.dll
     condition: registry_set and (selection and not filter)

sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml

@@ -19,10 +19,10 @@ detection:
         EventID: 4657
         Channel: Security
     selection_path:
-        TargetObject|contains: \Microsoft\Windows\CurrentVersion\Run\
+        ObjectName|contains: \Microsoft\Windows\CurrentVersion\Run\
     selection_value:
-        -   TargetObject|contains: Microsift
-        -   Details|contains: .exe Platypus
+        -   ObjectName|contains: Microsift
+        -   NewValue|contains: .exe Platypus
     condition: registry_set and (all of selection_*)
 falsepositives:
     - Unlikely

sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml

@@ -23,10 +23,10 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|contains|all:
+        ObjectName|contains|all:
             - \SOFTWARE\Microsoft\Office\
             - \Outlook\
-        TargetObject|contains:
+        ObjectName|contains:
             - \Tasks\
             - \Notes\
     condition: registry_set and selection

sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml

@@ -19,10 +19,10 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|contains|all:
+        ObjectName|contains|all:
             - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-
             - \ProfileImagePath
-        Details|contains:
+        NewValue|contains:
             - ANONYMOUS
             - _DomainUser_
     condition: registry_set and selection

sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml

@@ -18,7 +18,7 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|endswith: SECURITY\Policy\Secrets\n
+        ObjectName|endswith: SECURITY\Policy\Secrets\n
     condition: registry_event and selection
 level: high
 ruletype: Sigma

sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml

@@ -20,10 +20,10 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|contains: \SOFTWARE\Classes\.wav\OpenWithProgIds\
+        ObjectName|contains: \SOFTWARE\Classes\.wav\OpenWithProgIds\
     filter_main_wav:
-        -   TargetObject|endswith: .AssocFile.WAV
-        -   TargetObject|contains: .wav.
+        -   ObjectName|endswith: .AssocFile.WAV
+        -   ObjectName|contains: .wav.
     condition: registry_set and (selection and not 1 of filter_main_*)
 falsepositives:
     - Some additional tuning might be required to tune out legitimate processes that

sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml

@@ -21,7 +21,7 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        TargetObject|contains|all:
+        ObjectName|contains|all:
             - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
             - Windows TeamCity Settings User Interface
     condition: registry_event and selection

sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml

@@ -22,8 +22,8 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        EventType: CreateKey
-        TargetObject|contains: \software\NetWire
+        OperationType: '%%1904'
+        ObjectName|contains: \software\NetWire
     condition: registry_add and selection
 falsepositives:
     - Unknown

sigma/builtin/registry/registry_add/registry_add_malware_ursnif.yml

@@ -19,10 +19,10 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        EventType: CreateKey
-        TargetObject|contains: \Software\AppDataLow\Software\Microsoft\
+        OperationType: '%%1904'
+        ObjectName|contains: \Software\AppDataLow\Software\Microsoft\
     filter:
-        TargetObject|contains:
+        ObjectName|contains:
             - \SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\
             - \SOFTWARE\AppDataLow\Software\Microsoft\RepService\
             - \SOFTWARE\AppDataLow\Software\Microsoft\IME\

sigma/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml

@@ -19,12 +19,12 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        EventType: CreateKey
-        TargetObject|contains:
+        OperationType: '%%1904'
+        ObjectName|contains:
             - \SOFTWARE\Microsoft\AMSI\Providers\
             - \SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\
     filter:
-        Image|startswith:
+        ProcessName|startswith:
             - C:\Windows\System32\
             - C:\Program Files\
             - C:\Program Files (x86)\

sigma/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml

@@ -18,13 +18,13 @@ detection:
         EventID: 4657
         Channel: Security
     selection:
-        EventType: CreateKey
-        TargetObject|contains|all:
-            - HKU\
+        OperationType: '%%1904'
+        ObjectName|contains|all:
+            - \REGISTRY\USER\
             - Classes\CLSID\
             - \TreatAs
     filter_svchost:
-        Image: C:\WINDOWS\system32\svchost.exe
+        ProcessName: C:\WINDOWS\system32\svchost.exe
     condition: registry_add and (selection and not 1 of filter_*)
 falsepositives:
     - Maybe some system utilities in rare cases use linking keys for backward compatibility