Delete ASim_Registry_PersistViaIFEORegistryKey.yaml

Hunting Queries/ASimRegistry/ASim_Registry_PersistViaIFEORegistryKey.yaml

@@ -1,46 +0,0 @@
-id: 356dc64c-6316-48ba-85aa-18883ac86931c
-name: Persisting Via IFEO Registry Key (Normalized Registry Events)
-description: |
-   'This query detects instances where IFEO registry keys were created and deleted frequently within a short period of time.'
-severity: Medium
-requiredDataConnectors: []
-queryFrequency: 1d
-queryPeriod: 1d
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
-  - Persistence
-relevantTechniques:
-  - T1546.012
-tags:
-  - Solorigate
-  - NOBELIUM
-  - Original: f82c89fa-c969-4d12-832f-04d55d14522c
-query: |
-  (union isfuzzy=true
-  (
-  SecurityEvent
-  | where EventID == 4657
-  | where CommandLine has "Image File Execution Options"
-  | where CommandLine has_any ("reg add", "reg delete")
-  | summarize Count=count() by Computer, CommandLine, Account, NewValue, OldValue
-  | top 10 by Count desc 
-  | extend AccountCustomEntity = Account, HostCustomEntity = Computer
-  ),
-  (
-  imRegistry
-  | where RegistryKey has_all ("HKLM", "Image File Execution Options")
-  | summarize Count=count() by Computer, UserName, tostring(TargetObject)
-  | top 10 by Count desc
-  | extend AccountCustomEntity = UserName, HostCustomEntity = Computer
-  )
-  )
-entityMappings:
-  - entityType: Account
-    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
-  - entityType: Host
-    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity