Skip to content

Commit

Permalink
Add 38 new registry-based persistence techniques (#954)
Browse files Browse the repository at this point in the history
* Add 38 new registry-based persistence techniques

* fix hhctrl com hijack match statement

* fix core_profiler_path rule

* remove optional from disk cleanup handler rule

* update dotnet_startup_hooks

* improve filter handler rule

* update persist via PATH

* merge task schedule persistence with existing rule

* update UserInitMprLogonScript rule

* merge universal app uri with default file association; add better reference
  • Loading branch information
jorik-utwente authored Dec 9, 2024
1 parent ce5e041 commit e033410
Show file tree
Hide file tree
Showing 37 changed files with 702 additions and 7 deletions.
18 changes: 18 additions & 0 deletions nursery/persist-via-aedebug-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via AeDebug registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows NT\\CurrentVersion\\AeDebug/i
- string: /Debugger/i
17 changes: 17 additions & 0 deletions nursery/persist-via-amsi-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
rule:
meta:
name: persist via AMSI registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience
features:
- and:
- match: set registry value
- string: /Microsoft\\AMSI\\Providers\\/i
17 changes: 17 additions & 0 deletions nursery/persist-via-app-paths-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
rule:
meta:
name: persist via App paths registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007]
references:
- https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows\\CurrentVersion\\App Paths\\/i
17 changes: 17 additions & 0 deletions nursery/persist-via-appcertdlls-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
rule:
meta:
name: persist via AppCertDlls registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::AppCert DLLs [T1546.009]
references:
- https://skanthak.hier-im-netz.de/appcert.html
features:
- and:
- match: set registry value
- string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\AppCertDlls/i
22 changes: 22 additions & 0 deletions nursery/persist-via-appx-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
rule:
meta:
name: persist via AppX registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
features:
- and:
- match: set registry value
- or:
- string: /Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\/i
- and:
- string: /ActivatableClasses\\Package\\/i
- string: /DebugInformation/i
- string: /DebugPath/i
19 changes: 19 additions & 0 deletions nursery/persist-via-autodialdll-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rule:
meta:
name: persist via AutodialDLL registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/rras/autodial-connection-operations
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
features:
- and:
- match: set registry value
- string: /System\\(CurrentControlSet|ControlSet001)\\Services\\WinSock2\\Parameters/i
- string: /AutodialDLL/i
22 changes: 22 additions & 0 deletions nursery/persist-via-autoplayhandlers-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
rule:
meta:
name: persist via AutoplayHandlers registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/shell/how-to-register-a-handler-for-a-device-event
- https://www.hexacorn.com/blog/2019/09/07/beyond-good-ol-run-key-part-114/
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoplayHandlers\\Handlers\\/i
- or:
- string: /Action/i
- string: /Provider/i
- string: /InitCmd/i
18 changes: 18 additions & 0 deletions nursery/persist-via-bootverificationprogram-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via BootVerificationProgram registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Boot or Logon Autostart Execution [T1547]
references:
- https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
features:
- and:
- match: set registry value
- string: /System\\(CurrentControlSet|ControlSet001)\\Control\\BootVerificationProgram/i
- string: /ImagePath/i
19 changes: 19 additions & 0 deletions nursery/persist-via-code-signing-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rule:
meta:
name: persist via Code signing registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf
features:
- and:
- match: set registry value
- and:
- string: /Microsoft\\Cryptography\\OID\\/i
- string: /^Dll$/i
23 changes: 23 additions & 0 deletions nursery/persist-via-com-hijack.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
rule:
meta:
name: persist via COM hijack
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015]
references:
- https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/
- https://stmxcsr.com/persistence/com-hijacking.html
features:
- and:
- match: set registry value
- or:
- string: /Classes\\CLSID/i
- string: /Classes\\WOW6432Node\\CLSID/i
- or:
- string: /InProcServer32/i
- string: /LocalServer32/i
19 changes: 19 additions & 0 deletions nursery/persist-via-command-processor-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rule:
meta:
name: persist via Command Processor registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433
features:
- and:
- match: set registry value
- and:
- string: /Microsoft\\Command Processor/i
- string: /AutoRun/i
18 changes: 18 additions & 0 deletions nursery/persist-via-contextmenuhandlers-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via ContextMenuHandlers registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://pentestlab.blog/2023/03/13/persistence-context-menu/
- https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html
features:
- and:
- match: set registry value
- string: /\\shellex\\ContextMenuHandlers\\/i
18 changes: 18 additions & 0 deletions nursery/persist-via-cor_profiler_path-registry-value.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via COR_PROFILER_PATH registry value
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Hijack Execution Flow::COR_PROFILER [T1574.012]
references:
- https://redcanary.com/blog/threat-detection/cor_profiler-for-persistence/
features:
- and:
- match: set registry value
- string: /Environment/i
- string: /COR_PROFILER_PATH/i
21 changes: 21 additions & 0 deletions nursery/persist-via-default-file-association-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
rule:
meta:
name: persist via default file association registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::Change Default File Association [T1546.001]
references:
- https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/default-file-association
- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
features:
- and:
- match: set registry value
- or:
- string: /\\shell\\open\\command/i
- string: /\\shell\\print\\command/i
- string: /\\shell\\printto\\command/i
18 changes: 18 additions & 0 deletions nursery/persist-via-disk-cleanup-handler-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via Disk Cleanup Handler registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
- https://learn.microsoft.com/en-us/windows/win32/lwef/disk-cleanup
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\/i
18 changes: 18 additions & 0 deletions nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via .NET DbgManagedDebugger registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2022
features:
- and:
- match: set registry value
- string: /Microsoft\\.NETFramework/i
- string: /DbgManagedDebugger/i
18 changes: 18 additions & 0 deletions nursery/persist-via-dotnet_startup_hooks-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via DOTNET_STARTUP_HOOKS registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Hijack Execution Flow::DLL Side-Loading [T1574.002]
references:
- https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md
features:
- and:
- match: set registry value
- string: /Environment/i
- string: /DOTNET_STARTUP_HOOKS/i
17 changes: 17 additions & 0 deletions nursery/persist-via-explorer-tools-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
rule:
meta:
name: persist via Explorer tools registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\/i
19 changes: 19 additions & 0 deletions nursery/persist-via-filter-handlers-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rule:
meta:
name: persist via Filter Handlers registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-about
features:
- and:
- match: set registry value
- or:
- string: /\\\..*\\PersistentHandler/i
- string: /CLSID\\.*\\PersistentHandler/i
21 changes: 21 additions & 0 deletions nursery/persist-via-group-policy-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
rule:
meta:
name: persist via Group Policy registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Boot or Logon Autostart Execution [T1547]
references:
- None
features:
- and:
- match: set registry value
- and:
- or:
- string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\.*?\\.*/i
- string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\.*?\\.*/i
- string: /^Script$/i
Loading

0 comments on commit e033410

Please sign in to comment.