Merge pull request #3624 from splunk/sysmon_5_detection_fixes

pyth0n1c · web-flow · commit bb6f8b86ac86 · 2025-08-07T10:25:29.000-07:00
Update detections for Sysmon TA- 5.0.0
diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml
@@ -1,7 +1,7 @@
 name: Remcos client registry install entry
 id: f2a1615a-1d63-11ec-97d2-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-07-30'
 author: Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -19,7 +19,7 @@ data_source:
   - Sysmon EventID 13
 search:
   '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
-  WHERE (Registry.registry_key_name=*\\Software\\Remcos*) by Registry.action Registry.dest
+  WHERE (Registry.registry_path=*\\Software\\Remcos*) by Registry.action Registry.dest
   Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path
   Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
   Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
diff --git a/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml b/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml
@@ -1,8 +1,8 @@
 name: Windows Audit Policy Auditing Option Modified - Registry
 id: 27914692-9c62-44ea-9129-ceb429b61bd0
-version: 3
-date: '2025-05-02'
-author: Nasreddine Bencherchali, Splunk
+version: 4
+date: '2025-07-30'
+author: Nasreddine Bencherchali, Bhavin Patel, Splunk
 status: production
 type: Anomaly
 description: The following analytic detects potentially suspicious modifications to
@@ -17,7 +17,7 @@ description: The following analytic detects potentially suspicious modifications
 data_source:
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_key_name="*\\Control\\Lsa"
+  as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="*\\Control\\Lsa*"
   Registry.registry_value_name IN ("CrashOnAuditFail", "FullPrivilegeAuditing", "AuditBaseObjects",
   "AuditBaseDirectories") by Registry.action Registry.dest Registry.process_guid Registry.process_id
   Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data
diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
@@ -1,8 +1,8 @@
 name: Windows Impair Defense Overide Win Defender Phishing Filter
 id: 10ca081c-57b1-4a78-ba56-14a40a7e116a
-version: 7
-date: '2025-05-02'
-author: Teoderick Contreras, Splunk
+version: 8
+date: '2025-07-30'
+author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: TTP
 data_source:
@@ -16,8 +16,8 @@ description: The following analytic detects modifications to the Windows registr
   lead to users unknowingly accessing harmful sites, resulting in potential security
   incidents or data compromises.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name =
-  "*\\MicrosoftEdge\\PhishingFilter" Registry.registry_value_name IN ("EnabledV9",
+  as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =
+  "*\\MicrosoftEdge\\PhishingFilter*" Registry.registry_value_name IN ("EnabledV9",
   "PreventOverride") Registry.registry_value_data="0x00000000" by Registry.action
   Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path
   Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml
@@ -1,8 +1,8 @@
 name: Windows Phishing Recent ISO Exec Registry
 id: cb38ee66-8ae5-47de-bd66-231c7bbc0b2c
-version: 8
-date: '2025-05-02'
-author: Teoderick Contreras, Splunk
+version: 9
+date: '2025-07-30'
+author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Hunting
 description: The following analytic detects the creation of registry artifacts when
@@ -16,8 +16,8 @@ description: The following analytic detects the creation of registry artifacts w
 data_source:
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.iso"
-  OR Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.img"
+  as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.iso*"
+  OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.img*"
   by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive
   Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
   Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
