fix(rule): Improve Hidden local account creation rule

rabbitstack · rabbitstack · commit 39c82f3966e1 · 2025-02-02T20:18:30.000+01:00
The condition is modified to consider both, RegCreateKey and RegSetValue events. The registry key path trailing backslashes are removed because in case of RegCreateKey events, the registry key is reported without ending backslashes.
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
@@ -50,7 +50,7 @@
   expr: kevt.name = 'RegCreateKey' and registry.status = 'Success'
 
 - macro: modify_registry
-  expr: (set_value or create_key)
+  expr: ((set_value) or (create_key))
 
 - macro: send_socket
   expr: kevt.name = 'Send'
diff --git a/rules/persistence_hidden_local_account_creation.yml b/rules/persistence_hidden_local_account_creation.yml
@@ -17,10 +17,10 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1136/001/
 
 condition: >
-  set_value and registry.path imatches 
+  modify_registry and registry.path imatches 
     (
-      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\',
-      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$\\'
+      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$',
+      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$'
     )
 
 severity: high

Original file line number	Diff line number	Diff line change
`@@ -17,10 +17,10 @@ labels:`
`17`	`17`	`subtechnique.ref: https://attack.mitre.org/techniques/T1136/001/`
`18`	`18`
`19`	`19`	`condition: >`
`20`		`- set_value and registry.path imatches`
	`20`	`+ modify_registry and registry.path imatches`
`21`	`21`	`(`
`22`		`- 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\',`
`23`		`- 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$\\'`
	`22`	`+ 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$',`
	`23`	`+ 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$'`
`24`	`24`	`)`
`25`	`25`
`26`	`26`	`severity: high`