Skip to content

Use registry keys from Sigma rules as input for PowerGRR registry flows

Jump to bottom
Karneades edited this page Mar 26, 2018 · 6 revisions

See examples or use the script directly

Requirement

The function requires the PowerShell module powershell-yaml to be installed for the YAML conversion. The powershell-yaml module requires the YamlDotNet library. Instead of using the provided binaries from the powershell-yaml repo, use the binaries from AppVeyor.

Examples

For tests apt_chafer_mar18 and win_net_ntlm_downgrade.yml were used.

Read all registry keys and transform hive wildcards into corresponding hives

Additional wildcards will be left as they are, e.g. values in CurrentControlSet or ControlSet001 would be found.

PS> Get-SigmaRegistryKeys ..\win_net_ntlm_downgrade.yml.txt
HKEY_LOCAL_MACHINE\\SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel
HKEY_CURRENT_USER\\SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec
HKEY_CURRENT_USER\SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec
HKEY_LOCAL_MACHINE\\SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic
HKEY_CURRENT_USER\\SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic

PS> Get-SigmaRegistryKeys ..\apt_chafer_mar18.yml.txt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UMe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UMe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UT
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UT
HKEY_LOCAL_MACHINE\\Control\SecurityProviders\WDigest\UseLogonCredential
HKEY_CURRENT_USER\\Control\SecurityProviders\WDigest\UseLogonCredential

Use PowerGRR to invoke a GRR flow directly from the given Sigma rule registry keys

Invoke-GRRFlow -Credential $cred -ComputerName $target -Flow RegistryFinder -Key (Get-SigmaRegistryKeys ..\sigma-oilrig.yaml)

Use PowerGRR to invoke a GRR hunt directly from the given Sigma rule registry keys

$hunt = new-grrhunt -Credential $cred -Flow RegistryFinder -Key (Get-SigmaRegistryKeys ..\sigma-oilrig.yaml) -HuntDescription "Check OilRig sigma rule" -RuleType OS -ClientRate 500 -ClientLimit 0 -OnlyId -OS os_windows

PowerShell function for reading registry keys from Sigma rules

See also https://gist.github.com/Karneades/967904b3a4aaac87def3710d5eb13490.

function Get-SigmaRegistryKeys ()
{
    param(
        [string]
        $FilePath
    )

    if (Test-Path $FilePath)
    {
        $fileContent = gc $FilePath
        $content = ''
        foreach ($line in $fileContent)
        {
            $content = $content + "`n" + $line
        }

        $ret = ConvertFrom-Yaml $content -AllDocuments

        $detection = $ret.detection

        foreach ($d in $detection)
        {
            foreach ($key in $d.keys)
            {
                if ($d[$key].eventid -eq 13)
                {
                    $regkeys = $d[$key].TargetObject

                    foreach ($regkey in $regkeys)
                    {
                        [regex]$pattern = "\*"

                        if ($regkey.startswith("*"))
                        {
                            $regkey2 = $regkey
                            $pattern.Replace($regkey2,"HKEY_LOCAL_MACHINE\",1)

                            $regkey = $pattern.Replace($regkey,"HKEY_CURRENT_USER\",1)

                        }
                        $regkey
                    }
                }
            }
        }
    }
    else
    {
        write-error "File not found: $FilePath"
    }
}
Clone this wiki locally