Skip to content

Commit 315c778

Browse files
nterl0knterl0k
authored
Update windows_detect_wpdbusenum_registry_key_modification.yml
update search yaml for better readability / remove single quote in SPL issues
1 parent a51cebb commit 315c778

File tree

1 file changed

+7
-6
lines changed

1 file changed

+7
-6
lines changed

detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,13 @@ description: This analytic is used to identify when a USB removable media device
99
data_source:
1010
- Sysmon Event ID 12
1111
- Sysmon Event ID 13
12-
search: '| tstats `security_content_summariesonly` latest(Registry.registry_path) as registry_path, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" by Registry.dest,Registry.registry_value_data
13-
| `drop_dm_object_name(Registry)`
14-
| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","")
15-
| `security_content_ctime(firstTime)`
16-
| `security_content_ctime(lastTime)`
17-
| `windows_detect_wpdbusenum_registry_key_modification_filter`'
12+
search: |-
13+
| tstats `security_content_summariesonly` latest(Registry.registry_path) as registry_path, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" by Registry.dest,Registry.registry_value_data
14+
| `drop_dm_object_name(Registry)`
15+
| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","")
16+
| `security_content_ctime(firstTime)`
17+
| `security_content_ctime(lastTime)`
18+
| `windows_detect_wpdbusenum_registry_key_modification_filter`
1819
how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model.
1920
known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate.
2021
references:

0 commit comments

Comments
 (0)