From 48621e0210a0e5081233275e6009c65a41318423 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 5 Nov 2024 14:00:03 +0100 Subject: [PATCH 1/7] Add 4 miscellaneous persistence techniques. --- nursery/persist-via-application-shimming.yml | 25 ++++++++++++++++ nursery/persist-via-bits-job.yml | 29 +++++++++++++++++++ ...sist-via-print-processors-registry-key.yml | 25 ++++++++++++++++ .../persist-via-wmi-event-subscription.yml | 24 +++++++++++++++ 4 files changed, 103 insertions(+) create mode 100644 nursery/persist-via-application-shimming.yml create mode 100644 nursery/persist-via-bits-job.yml create mode 100644 nursery/persist-via-print-processors-registry-key.yml create mode 100644 nursery/persist-via-wmi-event-subscription.yml diff --git a/nursery/persist-via-application-shimming.yml b/nursery/persist-via-application-shimming.yml new file mode 100644 index 00000000..cca43ce6 --- /dev/null +++ b/nursery/persist-via-application-shimming.yml @@ -0,0 +1,25 @@ +rule: + meta: + name: persist via application shimming + namespace: persistence/file-system-and-registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Application Shimming [T1546.011] + references: + - https://cloud.google.com/blog/topics/threat-intelligence/fin7-shim-databases-persistence/ + features: + - or: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\/i + - string: /DatabasePath/i + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - string: /.sdb/i diff --git a/nursery/persist-via-bits-job.yml b/nursery/persist-via-bits-job.yml new file mode 100644 index 00000000..dbcbe1b0 --- /dev/null +++ b/nursery/persist-via-bits-job.yml @@ -0,0 +1,29 @@ +rule: + meta: + name: persist via BITS job + namespace: persistence/custom-db + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::BITS Jobs [T1197] + references: + - https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/ + features: + - or: + - and: + - api: ole32.CoCreateInstance + - string: "4991d34b-80a1-4291-83b6-3328366b9097" # BITS + - and: + - match: host-interaction/process/create + - or: + - and: + - string: /bitsadmin(|\.exe) /i + - string: /\/SetNotifyCmdLine/i + - and: + - or: + - string: /Set-BitsTransfer /i + - string: /Start-BitsTransfer /i + - string: / -NotifyCmdLine /i diff --git a/nursery/persist-via-print-processors-registry-key.yml b/nursery/persist-via-print-processors-registry-key.yml new file mode 100644 index 00000000..71768ef8 --- /dev/null +++ b/nursery/persist-via-print-processors-registry-key.yml @@ -0,0 +1,25 @@ +rule: + meta: + name: persist via Print Processors registry key + namespace: persistence/file-system-and-registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution::Print Processors [T1547.012] + references: + - https://stmxcsr.com/persistence/print-processor.html + features: + - or: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Environments\\.*\\Print Processors\\/i + - string: /^Driver$/i + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - string: /\\spool\\PRTPROCS\\/i diff --git a/nursery/persist-via-wmi-event-subscription.yml b/nursery/persist-via-wmi-event-subscription.yml new file mode 100644 index 00000000..459bea4e --- /dev/null +++ b/nursery/persist-via-wmi-event-subscription.yml @@ -0,0 +1,24 @@ +rule: + meta: + name: persist via WMI event subscription + namespace: persistence/custom-db + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Windows Management Instrumentation Event Subscription [T1546.003] + references: + - https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf + - https://cloud.google.com/blog/topics/threat-intelligence/dissecting-one-ofap/ + features: + - or: + - and: + - api: ole32.CoCreateInstance + - string: "4590F811-1D3A-11D0-891F-00AA004B2E24" # IWbemLocator + - and: + - match: host-interaction/process/create + - or: + - string: /wmic(|\.exe) /i + - string: /Register-WMIEvent /i From 1d7ef457fe16e0f563cefff26588ba977cfc1e40 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Wed, 13 Nov 2024 11:30:21 +0100 Subject: [PATCH 2/7] change to COM tag --- nursery/persist-via-bits-job.yml | 2 +- nursery/persist-via-wmi-event-subscription.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nursery/persist-via-bits-job.yml b/nursery/persist-via-bits-job.yml index dbcbe1b0..8520ae27 100644 --- a/nursery/persist-via-bits-job.yml +++ b/nursery/persist-via-bits-job.yml @@ -15,7 +15,7 @@ rule: - or: - and: - api: ole32.CoCreateInstance - - string: "4991d34b-80a1-4291-83b6-3328366b9097" # BITS + - com/class: BackgroundCopyManager # 4991d34b-80a1-4291-83b6-3328366b9097 - and: - match: host-interaction/process/create - or: diff --git a/nursery/persist-via-wmi-event-subscription.yml b/nursery/persist-via-wmi-event-subscription.yml index 459bea4e..9f53dd0d 100644 --- a/nursery/persist-via-wmi-event-subscription.yml +++ b/nursery/persist-via-wmi-event-subscription.yml @@ -16,7 +16,7 @@ rule: - or: - and: - api: ole32.CoCreateInstance - - string: "4590F811-1D3A-11D0-891F-00AA004B2E24" # IWbemLocator + - com/class: WbemLocator # 4590F811-1D3A-11D0-891F-00AA004B2E24 - and: - match: host-interaction/process/create - or: From f23aaa7353c819223896f7743dcf965132d3fa24 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Wed, 13 Nov 2024 11:32:46 +0100 Subject: [PATCH 3/7] change namespaces --- nursery/persist-via-application-shimming.yml | 2 +- nursery/persist-via-bits-job.yml | 2 +- nursery/persist-via-print-processors-registry-key.yml | 2 +- nursery/persist-via-wmi-event-subscription.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nursery/persist-via-application-shimming.yml b/nursery/persist-via-application-shimming.yml index cca43ce6..33bc166c 100644 --- a/nursery/persist-via-application-shimming.yml +++ b/nursery/persist-via-application-shimming.yml @@ -1,7 +1,7 @@ rule: meta: name: persist via application shimming - namespace: persistence/file-system-and-registry + namespace: persistence authors: - j.j.vannielen@utwente.nl scopes: diff --git a/nursery/persist-via-bits-job.yml b/nursery/persist-via-bits-job.yml index 8520ae27..2499a78b 100644 --- a/nursery/persist-via-bits-job.yml +++ b/nursery/persist-via-bits-job.yml @@ -1,7 +1,7 @@ rule: meta: name: persist via BITS job - namespace: persistence/custom-db + namespace: persistence authors: - j.j.vannielen@utwente.nl scopes: diff --git a/nursery/persist-via-print-processors-registry-key.yml b/nursery/persist-via-print-processors-registry-key.yml index 71768ef8..14fc5b9f 100644 --- a/nursery/persist-via-print-processors-registry-key.yml +++ b/nursery/persist-via-print-processors-registry-key.yml @@ -1,7 +1,7 @@ rule: meta: name: persist via Print Processors registry key - namespace: persistence/file-system-and-registry + namespace: persistence authors: - j.j.vannielen@utwente.nl scopes: diff --git a/nursery/persist-via-wmi-event-subscription.yml b/nursery/persist-via-wmi-event-subscription.yml index 9f53dd0d..a263f7cb 100644 --- a/nursery/persist-via-wmi-event-subscription.yml +++ b/nursery/persist-via-wmi-event-subscription.yml @@ -1,7 +1,7 @@ rule: meta: name: persist via WMI event subscription - namespace: persistence/custom-db + namespace: persistence authors: - j.j.vannielen@utwente.nl scopes: From d95d7b6027e7062974b623fa849f3f6fdcd663f6 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Wed, 13 Nov 2024 11:56:26 +0100 Subject: [PATCH 4/7] add sdbinst.exe to shimming rule --- nursery/persist-via-application-shimming.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nursery/persist-via-application-shimming.yml b/nursery/persist-via-application-shimming.yml index 33bc166c..e28007b2 100644 --- a/nursery/persist-via-application-shimming.yml +++ b/nursery/persist-via-application-shimming.yml @@ -23,3 +23,6 @@ rule: - match: move file - match: host-interaction/file-system/write - string: /.sdb/i + - and: + - match: host-interaction/process/create + - string: /sdbinst(|\.exe) /i From 2627820f8b66a66166b7a64d6e8b6222fedfa902 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Fri, 15 Nov 2024 15:05:30 +0100 Subject: [PATCH 5/7] add comment about overwriting .sdb files --- nursery/persist-via-application-shimming.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/nursery/persist-via-application-shimming.yml b/nursery/persist-via-application-shimming.yml index e28007b2..1ad948c3 100644 --- a/nursery/persist-via-application-shimming.yml +++ b/nursery/persist-via-application-shimming.yml @@ -18,6 +18,7 @@ rule: - string: /Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\/i - string: /DatabasePath/i - and: + - description: Malware can overwrite existing shimming files to gain persistence - or: - match: copy file - match: move file From 82a9d4030eb0fb242e2ecac1370e7e2eb6f01e43 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Fri, 22 Nov 2024 16:12:11 +0100 Subject: [PATCH 6/7] move WMI persistence rule to WMI usage detection rule --- ...nnect-to-wmi-namespace-via-wbemlocator.yml | 48 ++++++++++++------- .../persist-via-wmi-event-subscription.yml | 24 ---------- 2 files changed, 31 insertions(+), 41 deletions(-) delete mode 100644 nursery/persist-via-wmi-event-subscription.yml diff --git a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml index 6bec303c..d62247bb 100644 --- a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml +++ b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml @@ -7,26 +7,40 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unsupported # requires offset, bytes features + dynamic: call att&ck: - Execution::Windows Management Instrumentation [T1047] examples: - al-khaser_x64.exe_:0x14001956e - al-khaser_x86.exe_:0x00445270 features: - - and: - - basic block: - - and: - - api: ole32.CoCreateInstance - - com/class: WbemLocator # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator - - com/interface: IWbemLocator # 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator - - or: - - and: - - arch: i386 - - offset: 0xC = ppv->ConnectServer - - and: - - arch: amd64 - - offset: 0x18 = ppv->ConnectServer - - optional: - - string: /ROOT\\CIMV2/i - - string: /ROOT\\DEFAULT/i + - or: + - call: + - description: dynamic detection rule + - or: + - and: + - api: ole32.CoCreateInstance + - com/class: WbemLocator # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator + - and: + - match: host-interaction/process/create + - or: + - string: /wmic(|\.exe) /i + - string: /Register-WMIEvent /i + - and: + - description: static detection rule + - basic block: + - and: + - api: ole32.CoCreateInstance + - com/class: WbemLocator # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator + - com/interface: IWbemLocator # 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator + - basic block: + - or: + - and: + - arch: i386 + - offset: 0xC = ppv->ConnectServer + - and: + - arch: amd64 + - offset: 0x18 = ppv->ConnectServer + - optional: + - string: /ROOT\\CIMV2/i + - string: /ROOT\\DEFAULT/i diff --git a/nursery/persist-via-wmi-event-subscription.yml b/nursery/persist-via-wmi-event-subscription.yml deleted file mode 100644 index a263f7cb..00000000 --- a/nursery/persist-via-wmi-event-subscription.yml +++ /dev/null @@ -1,24 +0,0 @@ -rule: - meta: - name: persist via WMI event subscription - namespace: persistence - authors: - - j.j.vannielen@utwente.nl - scopes: - static: function - dynamic: call - att&ck: - - Persistence::Event Triggered Execution::Windows Management Instrumentation Event Subscription [T1546.003] - references: - - https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf - - https://cloud.google.com/blog/topics/threat-intelligence/dissecting-one-ofap/ - features: - - or: - - and: - - api: ole32.CoCreateInstance - - com/class: WbemLocator # 4590F811-1D3A-11D0-891F-00AA004B2E24 - - and: - - match: host-interaction/process/create - - or: - - string: /wmic(|\.exe) /i - - string: /Register-WMIEvent /i From 5873d7ff7577813726974125e084010b78647834 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Fri, 22 Nov 2024 16:16:19 +0100 Subject: [PATCH 7/7] Remove COM usage detection from BITS jobs persistence --- nursery/persist-via-bits-job.yml | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/nursery/persist-via-bits-job.yml b/nursery/persist-via-bits-job.yml index 2499a78b..fdd32715 100644 --- a/nursery/persist-via-bits-job.yml +++ b/nursery/persist-via-bits-job.yml @@ -12,18 +12,14 @@ rule: references: - https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/ features: - - or: - - and: - - api: ole32.CoCreateInstance - - com/class: BackgroundCopyManager # 4991d34b-80a1-4291-83b6-3328366b9097 - - and: - - match: host-interaction/process/create - - or: - - and: - - string: /bitsadmin(|\.exe) /i - - string: /\/SetNotifyCmdLine/i - - and: - - or: - - string: /Set-BitsTransfer /i - - string: /Start-BitsTransfer /i - - string: / -NotifyCmdLine /i + - and: + - match: host-interaction/process/create + - or: + - and: + - string: /bitsadmin(|\.exe) /i + - string: /\/SetNotifyCmdLine/i + - and: + - or: + - string: /Set-BitsTransfer /i + - string: /Start-BitsTransfer /i + - string: / -NotifyCmdLine /i