Last active
June 23, 2020 10:22
-
-
Save Karneades/967904b3a4aaac87def3710d5eb13490 to your computer and use it in GitHub Desktop.
Extract registry keys from Sigma rules (see https://github.com/Neo23x0/sigma)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Requires PowerShell module powershell-yaml (https://github.com/cloudbase/powershell-yaml) | |
| See https://github.com/swisscom/PowerGRR/wiki/Use-registry-keys-from-Sigma-rules-as-input-for-PowerGRR-registry-flows. | |
| The first wildcard will be replace by both HKLM and HKCU, | |
| additional wildcards will be left as they are, e.g. values | |
| in CurrentControlSet or ControlSet001 would be found. | |
| PS> Get-SigmaRegistryKeys ..\apt_chafer_mar18_only_one_key.yml.txt | |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UMe | |
| PS> Get-SigmaRegistryKeys win_net_ntlm_downgrade.yml | |
| HKEY_LOCAL_MACHINE\\SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel | |
| HKEY_CURRENT_USER\\SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel | |
| HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec | |
| HKEY_CURRENT_USER\SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec | |
| HKEY_LOCAL_MACHINE\\SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic | |
| HKEY_CURRENT_USER\\SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic | |
| PS> Get-SigmaRegistryKeys apt_chafer_mar18.yml | |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UMe | |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UMe | |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UT | |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UT | |
| HKEY_LOCAL_MACHINE\\Control\SecurityProviders\WDigest\UseLogonCredential | |
| HKEY_CURRENT_USER\\Control\SecurityProviders\WDigest\UseLogonCredential | |
| #> | |
| function Get-SigmaRegistryKeys () | |
| { | |
| param( | |
| [string] | |
| $FilePath | |
| ) | |
| if (Test-Path $FilePath) | |
| { | |
| $fileContent = gc $FilePath | |
| $content = '' | |
| foreach ($line in $fileContent) | |
| { | |
| $content = $content + "`n" + $line | |
| } | |
| $ret = ConvertFrom-Yaml $content -AllDocuments | |
| $detection = $ret.detection | |
| foreach ($d in $detection) | |
| { | |
| foreach ($key in $d.keys) | |
| { | |
| if ($d[$key].eventid -eq 13) | |
| { | |
| $regkeys = $d[$key].TargetObject | |
| foreach ($regkey in $regkeys) | |
| { | |
| [regex]$pattern = "\*" | |
| if ($regkey.startswith("*")) | |
| { | |
| $regkey2 = $regkey | |
| $pattern.Replace($regkey2,"HKEY_LOCAL_MACHINE\",1) | |
| $regkey = $pattern.Replace($regkey,"HKEY_CURRENT_USER\",1) | |
| } | |
| $regkey | |
| } | |
| } | |
| } | |
| } | |
| } | |
| else | |
| { | |
| write-error "File not found: $FilePath" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment