Threat Huntmediumtest
Potential Registry Reconnaissance Via PowerShell Script
Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script
Definition
Requirements: Script Block Logging must be enabled
Detection Logic
Detection Logic1 selector
detection:
selection:
# TODO: switch to |re|i: after sigma specification v2 is released
ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\'
condition: selectionFalse Positives
Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.
References
MITRE ATT&CK
Tactics
Other
detection.threat-hunting
Rule Metadata
Rule ID
064060aa-09fb-4636-817f-020a32aa7e9e
Status
test
Level
medium
Type
Threat Hunt
Created
Sun Jul 02
Author
Path
rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml
Raw Tags
attack.discoveryattack.t1012attack.t1007detection.threat-hunting