Yara Rules not matching a String - Windows Event

Question

I need a little help: I was triggering "Registry persistence" events which can be related to a malware presence.

Here is the Yara rule I tried to get triggered from Sysmon events (Event Viewer channel)

rule RegistryPersistence
{
         strings:
                      $CommandLine = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
         condition:
                      $CommandLine
}

Here is the powershell command I want to trigger:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 0 /d C: emp\malicious.dll

I did tried to use "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*" but nothing changed. However if I specify $CommandLine = "reg.exe" I'll get the event triggered as expected.

Any help would be really appreciated in this moment.

The event from the Event Viewer is

Process Create: RuleName: - UtcTime: 2023-04-24 21:07:52.827 ProcessGuid: {f3ae464f-efa8-6446-1104-000000000e00} ProcessId: 11916 Image: C:\Windows\System32 eg.exe FileVersion: 10.0.17763.1 (WinBuild.160101.0800) Description: Registry Console Tool Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: reg.exe CommandLine: "C:\Windows\system32 eg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 0 /d C: emp\malicious.dll CurrentDirectory: C:\Windows\system32\ User: DESKTOP-D577HXY\Tester LogonGuid: {f3ae464f-df1a-6446-3085-c10000000000} LogonId: 0xC18530 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF ParentProcessGuid: {f3ae464f-df1b-6446-4c03-000000000e00} ParentProcessId: 10264 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ParentUser: DESKTOP-D577HXY\Tester

Yara Rules not matching a String - Windows Event

Answers (1)

Related Questions