Merge pull request #16 from Neo23x0/config-devel

Neo23x0 · web-flow · commit 06181b2e74e6 · 2021-09-10T11:46:17.000+02:00
Registry changes caused during CVE-2021-40444 exploitation
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
@@ -790,6 +790,7 @@
 			<TargetObject condition="contains">Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">WOW6432Node\Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
+			<TargetObject name="Context,ContactedDomain" condition="end with">\EnableBHO</TargetObject> <!--Microsoft:Office: Contacted domains stored here 'HKEY_CURRENT_USER\<SID>\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\<domain>\EnableBHO' -->
 		</RegistryEvent>
 	</RuleGroup>
 
