From db3afafddbafd4963b5f4b6426c016856f680129 Mon Sep 17 00:00:00 2001
From: Still Hsu <dev@stillu.cc>
Date: Wed, 25 Sep 2024 11:57:36 +0800
Subject: [PATCH 1/4] Add initial rule for hiding shutdown actions

Signed-off-by: Still Hsu <dev@stillu.cc>
---
 .../os/hide-shutdown-actions-via-policy.yml   | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 host-interaction/os/hide-shutdown-actions-via-policy.yml

diff --git a/host-interaction/os/hide-shutdown-actions-via-policy.yml b/host-interaction/os/hide-shutdown-actions-via-policy.yml
new file mode 100644
index 00000000..927c1de8
--- /dev/null
+++ b/host-interaction/os/hide-shutdown-actions-via-policy.yml
@@ -0,0 +1,29 @@
+rule:
+  meta:
+    name: hide shutdown actions via policy
+    namespace: host-interaction/os
+    authors:
+      - still@teamt5.org
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Defense Evasion::Modify Registry [T1112]
+    examples:
+      - a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0
+  features:
+      - and:
+        - optional:
+          - match: create or open registry key
+        - or:
+          - and:
+            - string: "/Policies/i"
+            - or:
+              - string: "/ShutdownWithoutLogon/i"
+              - string: "/HidePowerOptions/i"
+          - and:
+            - string: "/PolicyManager/i"
+            - or:
+              - string: "/HideRestart/i"
+              - string: "/HideShutDown/i"
+              - string: "/HideSignOut/i"
\ No newline at end of file

From 4147452a40ae8695d1336ede9acf7f1d881cd6d6 Mon Sep 17 00:00:00 2001
From: Still Hsu <dev@stillu.cc>
Date: Wed, 25 Sep 2024 12:00:45 +0800
Subject: [PATCH 2/4] Lint rule

Signed-off-by: Still Hsu <dev@stillu.cc>
---
 .../os/hide-shutdown-actions-via-policy.yml   | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/host-interaction/os/hide-shutdown-actions-via-policy.yml b/host-interaction/os/hide-shutdown-actions-via-policy.yml
index 927c1de8..25a5fe2b 100644
--- a/host-interaction/os/hide-shutdown-actions-via-policy.yml
+++ b/host-interaction/os/hide-shutdown-actions-via-policy.yml
@@ -12,18 +12,18 @@ rule:
     examples:
       - a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0
   features:
-      - and:
-        - optional:
-          - match: create or open registry key
-        - or:
-          - and:
-            - string: "/Policies/i"
-            - or:
-              - string: "/ShutdownWithoutLogon/i"
-              - string: "/HidePowerOptions/i"
-          - and:
-            - string: "/PolicyManager/i"
-            - or:
-              - string: "/HideRestart/i"
-              - string: "/HideShutDown/i"
-              - string: "/HideSignOut/i"
\ No newline at end of file
+    - and:
+      - optional:
+        - match: create or open registry key
+      - or:
+        - and:
+          - string: "/Policies/i"
+          - or:
+            - string: "/ShutdownWithoutLogon/i"
+            - string: "/HidePowerOptions/i"
+        - and:
+          - string: "/PolicyManager/i"
+          - or:
+            - string: "/HideRestart/i"
+            - string: "/HideShutDown/i"
+            - string: "/HideSignOut/i"

From a011bc56bd639d0d2cff066e2b20eea15e5839a6 Mon Sep 17 00:00:00 2001
From: Still Hsu <dev@stillu.cc>
Date: Thu, 26 Sep 2024 07:39:36 +0800
Subject: [PATCH 3/4] Add offset to example sample + existing references

Signed-off-by: Still Hsu <dev@stillu.cc>
---
 host-interaction/os/hide-shutdown-actions-via-policy.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/host-interaction/os/hide-shutdown-actions-via-policy.yml b/host-interaction/os/hide-shutdown-actions-via-policy.yml
index 25a5fe2b..e5b3f160 100644
--- a/host-interaction/os/hide-shutdown-actions-via-policy.yml
+++ b/host-interaction/os/hide-shutdown-actions-via-policy.yml
@@ -10,7 +10,9 @@ rule:
     att&ck:
       - Defense Evasion::Modify Registry [T1112]
     examples:
-      - a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0
+      - a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0:0x14000b47f
+    references:
+      - https://securelist.com/mallox-ransomware/113529/
   features:
     - and:
       - optional:

From 36356530b92eab11c6342a11ec4f4237bb85c2a0 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Thu, 26 Sep 2024 14:22:04 +0200
Subject: [PATCH 4/4] Update
 host-interaction/os/hide-shutdown-actions-via-policy.yml

---
 host-interaction/os/hide-shutdown-actions-via-policy.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/host-interaction/os/hide-shutdown-actions-via-policy.yml b/host-interaction/os/hide-shutdown-actions-via-policy.yml
index e5b3f160..70547555 100644
--- a/host-interaction/os/hide-shutdown-actions-via-policy.yml
+++ b/host-interaction/os/hide-shutdown-actions-via-policy.yml
@@ -9,10 +9,10 @@ rule:
       dynamic: call
     att&ck:
       - Defense Evasion::Modify Registry [T1112]
-    examples:
-      - a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0:0x14000b47f
     references:
       - https://securelist.com/mallox-ransomware/113529/
+    examples:
+      - a6594d9550d56ddeaac8b3140821e698eefb7163ba29f0119c2ef19beb6040b0:0x14000b47f
   features:
     - and:
       - optional: