[Tuning] Uncommon Registry Persistence Change (#4286)

* Update persistence_registry_uncommon.toml Add registry rules for additional SMSS persistence vectors * Update persistence_registry_uncommon.toml * Update persistence_registry_uncommon.toml --------- Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> (cherry picked from commit c99cf92)
elastic · Dec 25, 2024 · 4bbe159 · 4bbe159
1 parent 4f132b9
commit 4bbe159
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/18"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/10/17"
+updated_date = "2024/12/10"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -17,7 +17,10 @@ index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*",
 language = "eql"
 license = "Elastic License v2"
 name = "Uncommon Registry Persistence Change"
-references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"]
+references = [
+"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2", 
+"https://github.com/rad9800/BootExecuteEDR"
+]
 risk_score = 47
 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80"
 severity = "medium"
@@ -79,7 +82,10 @@ registry where host.os.type == "windows" and event.type == "change" and
       "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms",
       "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram",
       "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute",
+      "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecuteNoPnpSync",
       "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute",
+      "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecuteNoPnpSync",
+      "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\PlatformExecute",
       "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute",
       "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand",
       "HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension",