-
Notifications
You must be signed in to change notification settings - Fork 7
Use registry keys from Sigma rules as input for PowerGRR registry flows
Karneades edited this page Mar 23, 2018
·
6 revisions
See examples or use the script directly
The function requires the PowerShell module powershell-yaml to be installed for the YAML conversion. The powershell-yaml module requires the YamlDotNet library. Instead of using the provided binaries from the powershell-yaml repo, use the binaries from AppVeyor.
The current apt_chafer_mar18 is used as an example.
PS> Get-SigmaRegistryKeys ..\sigma-oilrig.yaml
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UMe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UMe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UT
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UT
HKEY_LOCAL_MACHINE\\Control\SecurityProviders\WDigest\UseLogonCredential
HKEY_CURRENT_USER\\Control\SecurityProviders\WDigest\UseLogonCredentialInvoke-GRRFlow -Credential $cred -ComputerName $target -Flow RegistryFinder -Key (Get-SigmaRegistryKeys ..\sigma-oilrig.yaml)$hunt = new-grrhunt -Credential $cred -Flow RegistryFinder -Key (Get-SigmaRegistryKeys ..\sigma-oilrig.yaml) -HuntDescription "Check OilRig sigma rule" -RuleType OS -ClientRate 500 -ClientLimit 0 -OnlyId -OS os_windowsfunction Get-SigmaRegistryKeys ()
{
param(
[string]
$FilePath
)
if (Test-Path $FilePath)
{
$fileContent = gc $FilePath
$content = ''
foreach ($line in $fileContent)
{
$content = $content + "`n" + $line
}
$ret = ConvertFrom-Yaml $content -AllDocuments
$detection = $ret.detection
foreach ($section in $detection)
{
foreach ($d in $section.keys)
{
if ($d -match "reg")
{
foreach ($key in $section[$d]["TargetObject"])
{
if ($key.contains("*"))
{
$key2 = $key
$key2 -replace "\*","HKEY_LOCAL_MACHINE\"
$key = $key -replace "\*","HKEY_CURRENT_USER\"
}
$key
}
}
}
}
}
else
{
write-error "File not found: $FilePath"
}
}