Open
Description
I would like to have the ability to create rules on registry hives, for example:
---
title: T1547.004 - Winlogon System Shell Changed
group: Persistence
description: Winlogon\Shell changed from explorer.exe
kind: registry_hive
level: critical
status: stable
timestamp: <take the timestamp from the last changed attribute on the registry key>
filter:
condition: winlogon_shell and not value_data_explorer
winlogon_shell:
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
RegistryValue: Shell
value_data_explorer:
RegistryValueData: explorer.exeI think that this feature will allow to get a lot value from the registry hives, both in forensics and threat hunting.