Проблема Yara rulls (Help)

[Deanned]

rule Detect_create_regnonsystem
{
meta:
type = "RegSetValue"
description = "Обнаружено создания ключа (APP NOT SYSTEM)"
severity = 3


strings:
$EventFromRegMonitor = "\"t\":2,"
$EventRegCreate = "\"st\":0,"

$KeyIsServices = /"key":"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\.*"/ nocase
$ValueNameApp = /"app":"*smss\.exe"/ nocase /* Что не так с этой строчкой ?*/

condition:
$EventFromRegMonitor and $EventRegCreate and $KeyIsServices and not $ValueNameApp

}
Может кто подскажет что не так с этим правилом ?

 

[Pernat1y]

Откуда ивент идёт и в каком виде?

 

[Deanned]

Откуда ивент идёт и в каком виде?

Вот в таком виде, а откуда к сожалению не могу сказать )
"svrt":3
"sess":0
"act":2
"t":4
"st":51
"time":"2022-02-10T06:35:36.261361200Z"
"rul":"20-343@BlockPowerShell"
"pid":15940
"ppid":19828
"app":"\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
"rf0":262144
"exclf":140737488355361
"uuid":"696c4d6c-1e48-01d8-472f-000000000000"
"dom":"NT AUTHORITY"
"usr":"СИСТЕМА"
"who":"\Device\HarddiskVolume3\Windows\System32\ntdll.dll"
"whotid":17640
"whoaddr":140707855034480
"whof":240526598156
"wdir":"C:\Windows\system32\"
"cmdl":"powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';"
"cmdlp":"C:\Windows\system32\CompatTelRunner.exe -m:appraiser.dll -foScheduledTelemetryRun -cv:rFqUtNrzg0+poP0O.1"
"cmdlg":"C:\Windows\system32\compattelrunner.exe"
"prot":0
"when":"2022-02-10T06:35:36.259694300Z"
"cpid":19828
"cpath":"\Device\HarddiskVolume3\Windows\System32\CompatTelRunner.exe"
"sid":"S-1-5-18"
"imgf":140737488355361
"base":140699454275584
"isize":450560
"crtime":"2021-06-05T12:07:00.067985000Z"
"chtime":"2021-06-05T12:07:00.067985000Z"
"fsize":450560
"ftype":2
"attr":32
"sha1":"eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204"
"md5":"0e9ccd796e251916133392539572a374"
"sha256":"c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221"
"parent":"50ad084f-1e48-01d8-3b2f-000000000000"
"caller":"50ad084f-1e48-01d8-3b2f-000000000000"
"agent_id":"9cf5cfca29d171585ab6832c713cb87c79"
"creation_time":"2022-02-10T06:35:37.384914"

 

[Deanned]

Проблему решил, всё заработало )))
rule Detect_create_regnonsystem
{
meta:
type = "RegSetValue"
action = "detect"
description = "Обнаружено создания ключа (APP NOT SYSTEM)"
severity = 2


strings:
$EventFromRegMonitor = "\"t\":2,"
$EventRegSetValue = "\"st\":2,"
$KeyIsServices = /"key":"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\.*"/ nocase
$ValueNameApp = /"app":".*services\.exe"/ nocase
$valnI = /"val_n":"ImagePath"/ nocase


condition:
$EventFromRegMonitor and $EventRegSetValue and $KeyIsServices and $valnI and not $ValueNameApp
}