Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Rule Tuning] Windows DR Tuning - 5 #3229

Merged
merged 6 commits into from
Dec 5, 2023
Merged

[Rule Tuning] Windows DR Tuning - 5 #3229

merged 6 commits into from
Dec 5, 2023

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Oct 25, 2023

Issues

Part of #3186

Summary

Tunes the following rules:

  • Symbolic Link to Shadow Copy Created
  • Potential Antimalware Scan Interface Bypass via PowerShell
  • Code Signing Policy Modification Through Registry
  • Creation or Modification of Root Certificate
  • Windows Defender Disabled via Registry Modification

@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Oct 25, 2023
@w0rk3r w0rk3r self-assigned this Oct 25, 2023
@@ -99,7 +99,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change")
(
registry.path : "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" and
registry.value: "BehaviorOnFailedVerify" and
registry.data.strings : ("0", "0x00000000", "1", "0x00000001")
registry.data.strings : ("0", "0x00000000")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to reflect this change in the rule name as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can leave it as is

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Aegrah I was taking a second look at this one, and it seems that the original logic is the way to go here

image

Will exclude it for now, and explore other tuning opportunities

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

@Aegrah Aegrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@DefSecSentinel DefSecSentinel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@w0rk3r w0rk3r merged commit e5d6767 into main Dec 5, 2023
12 checks passed
@w0rk3r w0rk3r deleted the rt_6 branch December 5, 2023 22:20
protectionsmachine pushed a commit that referenced this pull request Dec 5, 2023
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit e5d6767)
protectionsmachine pushed a commit that referenced this pull request Dec 5, 2023
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit e5d6767)
protectionsmachine pushed a commit that referenced this pull request Dec 5, 2023
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit e5d6767)
protectionsmachine pushed a commit that referenced this pull request Dec 5, 2023
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit e5d6767)
protectionsmachine pushed a commit that referenced this pull request Dec 5, 2023
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit e5d6767)
protectionsmachine pushed a commit that referenced this pull request Dec 5, 2023
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit e5d6767)
protectionsmachine pushed a commit that referenced this pull request Dec 5, 2023
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit e5d6767)
protectionsmachine pushed a commit that referenced this pull request Dec 5, 2023
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit e5d6767)
protectionsmachine pushed a commit that referenced this pull request Dec 5, 2023
* [Rule Tuning] Windows DR Tuning - 5

* .

* Revert changes BehaviorOnFailedVerify

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit e5d6767)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants