Skip to content

Add more keys concerned with lsa ppl protection#5399

Open
swachchhanda000 wants to merge 4 commits intoSigmaHQ:masterfrom
swachchhanda000:lsa_ppl_disabled
Open

Add more keys concerned with lsa ppl protection#5399
swachchhanda000 wants to merge 4 commits intoSigmaHQ:masterfrom
swachchhanda000:lsa_ppl_disabled

Conversation

@swachchhanda000
Copy link
Collaborator

@swachchhanda000 swachchhanda000 commented May 1, 2025
edited by phantinuss
Loading

Summary of the Pull Request

Add more keys concerned with lsa ppl protection

Changelog

update: LSA PPL Protection Disabled Via Reg.EXE - Add more keys regarding LSA PPL

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels May 1, 2025
@nasbench nasbench requested a review from phantinuss May 20, 2025 21:04
phantinuss
phantinuss reviewed May 21, 2025
View reviewed changes
rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml
Comment on lines +36 to +39
filter:
CommandLine|contains:
- "01"
- "02"
Copy link
Collaborator

@phantinuss phantinuss May 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is filtered here? Can you give an example? (Is it a main or optional filter?)

Copy link
Collaborator Author

@swachchhanda000 swachchhanda000 May 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When modifying the registry using the reg command, you can pass a value using either of the following formats:

/d 0 /d 00000000

For example:

The intention of rule is to catch this commandline

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "RunAsPPL" /t REG_DWORD /d "0"

But, This means the rule will be triggered if the value is set like this:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "RunAsPPL" /t REG_DWORD /d "00000001"

or similarly with other non-zero DWORD values like "00000002".

Copy link
Collaborator

@phantinuss phantinuss Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. so it's a main filter
  2. maybe you can rewrite the rule to be more robust? Maybe it works without this filter. It's a regex if it has to be.
  3. maybe use /v /d with windash

Copy link
Collaborator Author

@swachchhanda000 swachchhanda000 Dec 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just find out we cannot really use this logic too as it is also possible to use 0x0

Copy link
Member

@nasbench nasbench Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should care about any modification of these key/values via CLI. So drop the filter.

And move the rule to medium

@swachchhanda000 @phantinuss
Apply suggestions from code review
3dc0e44 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@phantinuss phantinuss added Review Needed The PR requires review and removed 2nd Review Needed labels Nov 21, 2025
@swachchhanda000 swachchhanda000 added this to the Sigma-January-Release milestone Dec 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phantinuss phantinuss phantinuss left review comments

@frack113 frack113 frack113 approved these changes

@nasbench nasbench Awaiting requested review from nasbench

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

Sigma-February-Release

Development

Successfully merging this pull request may close these issues.

4 participants

@swachchhanda000 @nasbench @frack113 @phantinuss