-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add 38 new registry-based persistence techniques (#954)
* Add 38 new registry-based persistence techniques * fix hhctrl com hijack match statement * fix core_profiler_path rule * remove optional from disk cleanup handler rule * update dotnet_startup_hooks * improve filter handler rule * update persist via PATH * merge task schedule persistence with existing rule * update UserInitMprLogonScript rule * merge universal app uri with default file association; add better reference
- Loading branch information
1 parent
ce5e041
commit e033410
Showing
37 changed files
with
702 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
rule: | ||
meta: | ||
name: persist via AeDebug registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /Microsoft\\Windows NT\\CurrentVersion\\AeDebug/i | ||
- string: /Debugger/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
rule: | ||
meta: | ||
name: persist via AMSI registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /Microsoft\\AMSI\\Providers\\/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
rule: | ||
meta: | ||
name: persist via App paths registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007] | ||
references: | ||
- https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /Microsoft\\Windows\\CurrentVersion\\App Paths\\/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
rule: | ||
meta: | ||
name: persist via AppCertDlls registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution::AppCert DLLs [T1546.009] | ||
references: | ||
- https://skanthak.hier-im-netz.de/appcert.html | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\AppCertDlls/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
rule: | ||
meta: | ||
name: persist via AppX registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ | ||
features: | ||
- and: | ||
- match: set registry value | ||
- or: | ||
- string: /Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\/i | ||
- and: | ||
- string: /ActivatableClasses\\Package\\/i | ||
- string: /DebugInformation/i | ||
- string: /DebugPath/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
rule: | ||
meta: | ||
name: persist via AutodialDLL registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://learn.microsoft.com/en-us/windows/win32/rras/autodial-connection-operations | ||
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /System\\(CurrentControlSet|ControlSet001)\\Services\\WinSock2\\Parameters/i | ||
- string: /AutodialDLL/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
rule: | ||
meta: | ||
name: persist via AutoplayHandlers registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://learn.microsoft.com/en-us/windows/win32/shell/how-to-register-a-handler-for-a-device-event | ||
- https://www.hexacorn.com/blog/2019/09/07/beyond-good-ol-run-key-part-114/ | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoplayHandlers\\Handlers\\/i | ||
- or: | ||
- string: /Action/i | ||
- string: /Provider/i | ||
- string: /InitCmd/i |
18 changes: 18 additions & 0 deletions
18
nursery/persist-via-bootverificationprogram-registry-key.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
rule: | ||
meta: | ||
name: persist via BootVerificationProgram registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Boot or Logon Autostart Execution [T1547] | ||
references: | ||
- https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /System\\(CurrentControlSet|ControlSet001)\\Control\\BootVerificationProgram/i | ||
- string: /ImagePath/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
rule: | ||
meta: | ||
name: persist via Code signing registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf | ||
features: | ||
- and: | ||
- match: set registry value | ||
- and: | ||
- string: /Microsoft\\Cryptography\\OID\\/i | ||
- string: /^Dll$/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
rule: | ||
meta: | ||
name: persist via COM hijack | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015] | ||
references: | ||
- https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/ | ||
- https://stmxcsr.com/persistence/com-hijacking.html | ||
features: | ||
- and: | ||
- match: set registry value | ||
- or: | ||
- string: /Classes\\CLSID/i | ||
- string: /Classes\\WOW6432Node\\CLSID/i | ||
- or: | ||
- string: /InProcServer32/i | ||
- string: /LocalServer32/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
rule: | ||
meta: | ||
name: persist via Command Processor registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433 | ||
features: | ||
- and: | ||
- match: set registry value | ||
- and: | ||
- string: /Microsoft\\Command Processor/i | ||
- string: /AutoRun/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
rule: | ||
meta: | ||
name: persist via ContextMenuHandlers registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://pentestlab.blog/2023/03/13/persistence-context-menu/ | ||
- https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /\\shellex\\ContextMenuHandlers\\/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
rule: | ||
meta: | ||
name: persist via COR_PROFILER_PATH registry value | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Hijack Execution Flow::COR_PROFILER [T1574.012] | ||
references: | ||
- https://redcanary.com/blog/threat-detection/cor_profiler-for-persistence/ | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /Environment/i | ||
- string: /COR_PROFILER_PATH/i |
21 changes: 21 additions & 0 deletions
21
nursery/persist-via-default-file-association-registry-key.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
rule: | ||
meta: | ||
name: persist via default file association registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution::Change Default File Association [T1546.001] | ||
references: | ||
- https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/default-file-association | ||
- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html | ||
features: | ||
- and: | ||
- match: set registry value | ||
- or: | ||
- string: /\\shell\\open\\command/i | ||
- string: /\\shell\\print\\command/i | ||
- string: /\\shell\\printto\\command/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
rule: | ||
meta: | ||
name: persist via Disk Cleanup Handler registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ | ||
- https://learn.microsoft.com/en-us/windows/win32/lwef/disk-cleanup | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\/i |
18 changes: 18 additions & 0 deletions
18
nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
rule: | ||
meta: | ||
name: persist via .NET DbgManagedDebugger registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2022 | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /Microsoft\\.NETFramework/i | ||
- string: /DbgManagedDebugger/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
rule: | ||
meta: | ||
name: persist via DOTNET_STARTUP_HOOKS registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Hijack Execution Flow::DLL Side-Loading [T1574.002] | ||
references: | ||
- https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /Environment/i | ||
- string: /DOTNET_STARTUP_HOOKS/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
rule: | ||
meta: | ||
name: persist via Explorer tools registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ | ||
features: | ||
- and: | ||
- match: set registry value | ||
- string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
rule: | ||
meta: | ||
name: persist via Filter Handlers registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Event Triggered Execution [T1546] | ||
references: | ||
- https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-about | ||
features: | ||
- and: | ||
- match: set registry value | ||
- or: | ||
- string: /\\\..*\\PersistentHandler/i | ||
- string: /CLSID\\.*\\PersistentHandler/i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
rule: | ||
meta: | ||
name: persist via Group Policy registry key | ||
namespace: persistence/registry | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: call | ||
att&ck: | ||
- Persistence::Boot or Logon Autostart Execution [T1547] | ||
references: | ||
- None | ||
features: | ||
- and: | ||
- match: set registry value | ||
- and: | ||
- or: | ||
- string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\.*?\\.*/i | ||
- string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\.*?\\.*/i | ||
- string: /^Script$/i |
Oops, something went wrong.