Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create proc_creation_win_reg_add_AutoAdminLogon_key.yml #5053

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Create proc_creation_win_reg_add_AutoAdminLogon_key.yml #5053

wants to merge 6 commits into from

Conversation

Mahir-Ali-khan
Copy link
Contributor

Summary of the Pull Request

Detects the modification of registry values DefaultUserName,DefaultPassword and AutoAdminLogon to enable automatic logon. Attacker use this technique to achieve persistence.

Changelog

Example Log Event

Process Create:
RuleName: -
UtcTime: 2024-10-16 11:02:12.493
ProcessGuid: {c419c85b-9d34-670f-8328-000000004700}
ProcessId: 12348
Image: C:\Windows\System32\reg.exe
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
Description: Registry Console Tool
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: reg.exe
CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
CurrentDirectory: C:\Users\user
User: XXXXXXXXXX\XXXXXXXX
LogonGuid: {c419c85b-9d89-670c-8fed-187f00000000}
LogonId: 0xF17ED8F
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: MD5=CDB58D0BCABE76AFC60428F364834463,SHA256=411AE446FE37B30C0727888C7FA5E88994A46DAFD41AA5B3B06C9E884549AFDE,IMPHASH=1085BD82B37A225F6D356012D2E69C3D
ParentProcessGuid: {c419c85b-8ebb-670f-4827-000000004700}
ParentProcessId: 21116
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\WINDOWS\system32\cmd.exe"
ParentUser: XXXXXXXXXX\XXXXXXXX

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Oct 16, 2024
@Mahir-Ali-khan @frack113
Update rules-threat-hunting/windows/process_creation/proc_creation_wi…
71454a5 
…n_reg_add_autoadminlogon_key.yml

Co-authored-by: frack113 <[email protected]>
@frack113
Copy link
Member

frack113 commented Dec 4, 2024

Hi,
Sorry,it took me a while to do the research but the rule https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml cover it.
Find atomic test from lockbit
https://github.com/redcanaryco/atomic-red-team/blob/8ac5c4f84692b11ea2832d18d3dc6f1ce7fb4e41/atomics/T1562.001/T1562.001.md#atomic-test-33---lockbit-black---use-registry-editor-to-turn-on-automatic-logon--cmd

reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d contoso.com /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d password1 /f

Original rule reference can be updated if you want.

@frack113 frack113 added the Work In Progress Some changes are needed label Dec 4, 2024
@Mahir-Ali-khan
Copy link
Contributor Author

Hi @frack113,

Thanks added the "Related" attribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frack113 frack113 frack113 left review comments

Assignees
No one assigned
Labels
Rules Windows Pull request add/update windows related rules Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Mahir-Ali-khan @frack113