10.02.2022, 12:05
|
|
Новичок
Регистрация: 09.02.2022
Сообщений: 0
С нами:
2242471
Репутация:
0
|
|
Проблему решил, всё заработало )))
rule Detect_create_regnonsystem
{
meta:
type = "RegSetValue"
action = "detect"
description = "Обнаружено создания ключа (APP NOT SYSTEM)"
severity = 2
strings:
$EventFromRegMonitor = "\"t\":2,"
$EventRegSetValue = "\"st\":2,"
$KeyIsServices = /"key":"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\Contro lSet001\\\\Services\\\\.*"/ nocase
$ValueNameApp = /"app":".*services\.exe"/ nocase
$valnI = /"val_n":"ImagePath"/ nocase
condition:
$EventFromRegMonitor and $EventRegSetValue and $KeyIsServices and $valnI and not $ValueNameApp
}
|
|
|