Add 10 file system-based persistence techniques (#955)

* Add file system based persistence techniques

---------

Co-authored-by: Moritz <[email protected]>

nursery/persist-via-errorhandler-script.yml

@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via ErrorHandler script
+    namespace: persistence/file-system
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - string: /\\Windows\\Setup\\Scripts\\ErrorHandler.cmd/i

nursery/persist-via-get-variable-hijack.yml

@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via Get-Variable hijack
+    namespace: persistence/file-system
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow [T1574]
+    references:
+      - https://www.threatdown.com/blog/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - string: /Microsoft\\WindowsApps\\Get-Variable.exe/i

nursery/persist-via-iphlpapi-dll-hijack.yml

@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via iphlpapi DLL hijack
+    namespace: persistence/file-system
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow [T1574]
+    references:
+      - https://cyble.com/blog/targeted-attacks-being-carried-out-via-dll-sideloading/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - string: /\\Appdata\\Local\\Microsoft\\.*\\iphlpapi.dll/i

nursery/persist-via-lnk-shortcut.yml

@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via lnk shortcut
+    namespace: persistence/file-system
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009]
+    references:
+      - https://www.ired.team/offensive-security/persistence/modifying-.lnk-shortcuts
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - string: /\.lnk$/i

nursery/persist-via-powershell-profile.yml

@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: persist via PowerShell profile
+    namespace: persistence/file-system
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::PowerShell Profile [T1546.013]
+    references:
+      - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - or:
+        - string: /Profile.ps1/i
+        - string: /Microsoft.PowerShell_profile.ps1/i

nursery/persist-via-windows-accessibility-tools.yml

@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: persist via Windows accessibility tools
+    namespace: persistence/file-system
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Accessibility Features [T1546.008]
+    references:
+      - https://pentestlab.blog/2019/11/13/persistence-accessibility-features/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - or:
+        - string: /windows\\system32\\osk.exe/i
+        - string: /windows\\system32\\Magnify.exe/i
+        - string: /windows\\system32\\narator.exe/i
+        - string: /windows\\system32\\displayswitch.exe/i
+        - string: /windows\\system32\\atbroker.exe/i
+        - string: /windows\\system32\\sethc.exe/i
+        - string: /windows\\system32\\utilman.exe/i

nursery/persist-via-windows-terminal-profile.yml

@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: persist via Windows Terminal Profile
+    namespace: persistence/file-system
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://nasbench.medium.com/persistence-using-windows-terminal-profiles-5035d3fc86fe
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - or:
+        - string: /Local\\Packages\\Microsoft.WindowsTerminal_.*\\LocalState\\settings.json/i

nursery/write-to-browser-extension-directory.yml

@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: write to browser extension directory
+    namespace: persistence/file-system
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Browser Extensions [T1176]
+  features:
+    - and:
+      - description: can be used for browser-based persistence
+      - or:
+        - match: copy file
+        - match: move file
+        - match: write file on Windows
+      - or:
+        - string: /\\Microsoft\\Edge\\User Data\\Default\\Extensions\\/i
+        - string: /\\Google\\Chrome\\User Data\\Default\\Extensions\\/i
+        - string: /\\Mozilla\\Firefox\\Profiles\\.*default\\extensions\\/i