Jump to content

Archived

This topic is now archived and is closed to further replies.

ILoveESET

Combining process and registry detection

Recommended Posts

Hello, 

i was trying to create a rule which detects registry changes made by powershell that was generated from excel. Below is my rule sets. it passed the syntax check. The activity was re-produced by creating the registry HKCU:\Software\myEEIEx on endpoints with EEI agent installed.

Detecting of registry key change worked, but when adding the logic of detecting process changes, it doesnt seem to trigger...

    <definition>
        <Process>
            <operator type="OR">
                <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="powershell" />
                <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cscript" />
                <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="wscript" />
                <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cmd" />
            </operator>
        </Process>
        <operations>
            <operation type="RegSetValue">
                <operator type="OR">
                    <condition component="RegistryItem" condition="starts" property="Key" value="HKCU:\Software\myEEIEx" />
                </operator>
            </operation>
        </operations>
    </definition>

Share this post


Link to post
Share on other sites

Hello,

try to remove the colon (:) character from HKCU path.

Regards.

Share this post


Link to post
Share on other sites
2 hours ago, MilanBA said:

Hello,

try to remove the colon (:) character from HKCU path.

Regards.

ah ha! that worked, thank you very much

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...