sigmahighHunting

LSA PPL Protection Disabled Via Reg.EXE

Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process

MITRE ATT&CK

defense-evasion

Detection Query

selection_img:
  - Image|endswith: \reg.exe
  - OriginalFileName: reg.exe
selection_cli:
  CommandLine|contains: SYSTEM\CurrentControlSet\Control\Lsa
  CommandLine|contains|all:
    - " add "
    - " /d 0"
    - " /v RunAsPPL "
condition: all of selection_*

Author

Florian Roth (Nextron Systems)

Created

2022-03-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/

Tags

attack.defense-evasionattack.t1562.010

Raw Content

title: LSA PPL Protection Disabled Via Reg.EXE
id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9
status: test
description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
references:
    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
author: Florian Roth (Nextron Systems)
date: 2022-03-22
modified: 2023-03-26
tags:
    - attack.defense-evasion
    - attack.t1562.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli:
        CommandLine|contains: 'SYSTEM\CurrentControlSet\Control\Lsa'
        CommandLine|contains|all:
            - ' add '
            - ' /d 0'
            - ' /v RunAsPPL '
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high