Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service. The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform t
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Standalone Content |
| ID | 473d57e6-f787-435c-a16b-b38b51fa9a4b |
| Severity | High |
| Kind | Scheduled |
| Tactics | DefenseEvasion |
| Techniques | T1562 |
| Required Connectors | SecurityEvents, MicrosoftThreatProtection, WindowsSecurityEvents, WindowsForwardedEvents |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceProcessEvents |
✓ | ✗ | ? | |
SecurityEvent |
✓ | ✓ | ? | |
WindowsEvent |
EventID in "4670,4688" |
✓ | ✓ | ? |
The following connectors provide data for this content item:
Solutions: Microsoft Exchange Security - Exchange On-Premises, Windows Forwarded Events, Windows Security Events
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊