Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve existing persistence rules #953

Merged
merged 8 commits into from
Dec 9, 2024
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: call
features:
- and:
- or:
Expand Down
10 changes: 5 additions & 5 deletions nursery/reference-screen-saver-executable.yml
jorik-utwente marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
rule:
meta:
name: reference screen saver executable
name: persist via screensaver registry key
jorik-utwente marked this conversation as resolved.
Show resolved Hide resolved
namespace: persistence/screensaver
authors:
- [email protected]
description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file
scopes:
static: function
dynamic: thread
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::Screensaver [T1546.002]
features:
- and:
- string: "SCRNSAVE.EXE"
- match: set registry value
- string: /Control Panel\\Desktop/i
- string: /^SCRNSAVE.EXE$/i
- optional:
- string: "ScreenSaveTimeOut"
- string: "Control Panel\\Desktop"
- match: set registry value
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::AppInit DLLs [T1546.010]
references:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
examples:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: call
att&ck:
- Persistence::Boot or Logon Autostart Execution::Active Setup [T1547.014]
references:
Expand Down
6 changes: 4 additions & 2 deletions persistence/registry/run/persist-via-run-registry-key.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: call
att&ck:
- Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001]
mbc:
Expand All @@ -30,5 +30,7 @@ rule:
- string: /User Shell Folders/i
- string: /RunServices/i
- string: /Policies\\Explorer\\Run/i
- string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load/i
- and:
- string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows/i
- string: /Load/i
mr-tz marked this conversation as resolved.
Show resolved Hide resolved
- string: /System\\CurrentControlSet\\Control\\Session Manager\\BootExecute/i
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,14 @@ rule:
namespace: persistence/registry/winlogon-helper
authors:
- [email protected]
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: call
att&ck:
- Persistence::Boot or Logon Autostart Execution::Winlogon Helper DLL [T1547.004]
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/creating-a-policy-callback-function
examples:
- 9ff8e68343cc29c1036650fc153e69f7:0x47f818
features:
Expand All @@ -22,3 +25,7 @@ rule:
- string: /Notify/i
- string: /Userinit/i
- string: /Shell/i
- string: /mpnotify/i
- and:
- string: /GPExtensions/i
- string: /DllName/i
jorik-utwente marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 1 addition & 1 deletion persistence/scheduled-tasks/schedule-task-via-at.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ rule:
- joren485
scopes:
static: function
dynamic: thread
dynamic: call
jorik-utwente marked this conversation as resolved.
Show resolved Hide resolved
att&ck:
- Persistence::Scheduled Task/Job::At [T1053.002]
examples:
Expand Down
2 changes: 1 addition & 1 deletion persistence/scheduled-tasks/schedule-task-via-schtasks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: call
att&ck:
- Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]
examples:
Expand Down
2 changes: 1 addition & 1 deletion persistence/service/persist-via-windows-service.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: call
att&ck:
- Persistence::Create or Modify System Process::Windows Service [T1543.003]
- Execution::System Services::Service Execution [T1569.002]
Expand Down
21 changes: 15 additions & 6 deletions persistence/startup-folder/write-file-to-startup-folder.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ rule:
namespace: persistence/startup-folder
authors:
- [email protected]
- [email protected]
scopes:
static: function
dynamic: thread
Expand All @@ -12,9 +13,17 @@ rule:
examples:
- 07F7846BBCDA782E5639292AD93907EB:0x401040
features:
- and:
- match: get startup folder
- or:
- match: copy file
- match: move file
- match: host-interaction/file-system/write
- or:
- and:
- match: get startup folder
- or:
- match: copy file
- match: move file
- match: write file on Windows
- call:
- and:
- match: reference startup folder
jorik-utwente marked this conversation as resolved.
Show resolved Hide resolved
- or:
- match: copy file
- match: move file
- match: write file on Windows
Loading