From 07c63acb6fe073ce5079431a45dcdbed7b25f861 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:16:29 +0100 Subject: [PATCH 01/10] Add 38 new registry-based persistence techniques --- nursery/persist-via-aedebug-registry-key.yml | 18 ++++++++++++ nursery/persist-via-amsi-registry-key.yml | 17 +++++++++++ .../persist-via-app-paths-registry-key.yml | 17 +++++++++++ .../persist-via-appcertdlls-registry-key.yml | 17 +++++++++++ nursery/persist-via-appx-registry-key.yml | 22 +++++++++++++++ .../persist-via-autodialdll-registry-key.yml | 19 +++++++++++++ ...sist-via-autoplayhandlers-registry-key.yml | 22 +++++++++++++++ ...a-bootverificationprogram-registry-key.yml | 18 ++++++++++++ .../persist-via-code-signing-registry-key.yml | 19 +++++++++++++ nursery/persist-via-com-hijack.yml | 23 +++++++++++++++ ...ist-via-command-processor-registry-key.yml | 19 +++++++++++++ ...t-via-contextmenuhandlers-registry-key.yml | 18 ++++++++++++ ...t-via-cor_profiler_path-registry-value.yml | 20 +++++++++++++ ...-default-file-association-registry-key.yml | 20 +++++++++++++ ...-via-disk-cleanup-handler-registry-key.yml | 20 +++++++++++++ ...dotnet-dbgmanageddebugger-registry-key.yml | 18 ++++++++++++ ...-via-dotnet_startup_hooks-registry-key.yml | 23 +++++++++++++++ ...ersist-via-explorer-tools-registry-key.yml | 17 +++++++++++ ...rsist-via-filter-handlers-registry-key.yml | 19 +++++++++++++ .../persist-via-group-policy-registry-key.yml | 21 ++++++++++++++ nursery/persist-via-hhctrl-com-hijack.yml | 17 +++++++++++ ...rsist-via-htmlhelp-author-registry-key.yml | 19 +++++++++++++ ...ge-file-execution-options-registry-key.yml | 19 +++++++++++++ nursery/persist-via-lsa-registry-key.yml | 28 +++++++++++++++++++ ...sist-via-natural-language-registry-key.yml | 20 +++++++++++++ nursery/persist-via-netsh-registry-key.yml | 17 +++++++++++ ...sist-via-network-provider-registry-key.yml | 18 ++++++++++++ nursery/persist-via-path-registry-key.yml | 20 +++++++++++++ ...ersist-via-print-monitors-registry-key.yml | 19 +++++++++++++ ...-via-rdp-startup-programs-registry-key.yml | 19 +++++++++++++ ...ist-via-silentprocessexit-registry-key.yml | 18 ++++++++++++ nursery/persist-via-task-scheduler.yml | 26 +++++++++++++++++ ...t-via-telemetrycontroller-registry-key.yml | 18 ++++++++++++ ...persist-via-timeproviders-registry-key.yml | 19 +++++++++++++ ...ist-via-ts-initialprogram-registry-key.yml | 20 +++++++++++++ ...ist-via-universal-app-uri-registry-key.yml | 17 +++++++++++ ...-userinitmprlogonscript-registry-value.yml | 20 +++++++++++++ ...a-windows-error-reporting-registry-key.yml | 18 ++++++++++++ 38 files changed, 739 insertions(+) create mode 100644 nursery/persist-via-aedebug-registry-key.yml create mode 100644 nursery/persist-via-amsi-registry-key.yml create mode 100644 nursery/persist-via-app-paths-registry-key.yml create mode 100644 nursery/persist-via-appcertdlls-registry-key.yml create mode 100644 nursery/persist-via-appx-registry-key.yml create mode 100644 nursery/persist-via-autodialdll-registry-key.yml create mode 100644 nursery/persist-via-autoplayhandlers-registry-key.yml create mode 100644 nursery/persist-via-bootverificationprogram-registry-key.yml create mode 100644 nursery/persist-via-code-signing-registry-key.yml create mode 100644 nursery/persist-via-com-hijack.yml create mode 100644 nursery/persist-via-command-processor-registry-key.yml create mode 100644 nursery/persist-via-contextmenuhandlers-registry-key.yml create mode 100644 nursery/persist-via-cor_profiler_path-registry-value.yml create mode 100644 nursery/persist-via-default-file-association-registry-key.yml create mode 100644 nursery/persist-via-disk-cleanup-handler-registry-key.yml create mode 100644 nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml create mode 100644 nursery/persist-via-dotnet_startup_hooks-registry-key.yml create mode 100644 nursery/persist-via-explorer-tools-registry-key.yml create mode 100644 nursery/persist-via-filter-handlers-registry-key.yml create mode 100644 nursery/persist-via-group-policy-registry-key.yml create mode 100644 nursery/persist-via-hhctrl-com-hijack.yml create mode 100644 nursery/persist-via-htmlhelp-author-registry-key.yml create mode 100644 nursery/persist-via-image-file-execution-options-registry-key.yml create mode 100644 nursery/persist-via-lsa-registry-key.yml create mode 100644 nursery/persist-via-natural-language-registry-key.yml create mode 100644 nursery/persist-via-netsh-registry-key.yml create mode 100644 nursery/persist-via-network-provider-registry-key.yml create mode 100644 nursery/persist-via-path-registry-key.yml create mode 100644 nursery/persist-via-print-monitors-registry-key.yml create mode 100644 nursery/persist-via-rdp-startup-programs-registry-key.yml create mode 100644 nursery/persist-via-silentprocessexit-registry-key.yml create mode 100644 nursery/persist-via-task-scheduler.yml create mode 100644 nursery/persist-via-telemetrycontroller-registry-key.yml create mode 100644 nursery/persist-via-timeproviders-registry-key.yml create mode 100644 nursery/persist-via-ts-initialprogram-registry-key.yml create mode 100644 nursery/persist-via-universal-app-uri-registry-key.yml create mode 100644 nursery/persist-via-userinitmprlogonscript-registry-value.yml create mode 100644 nursery/persist-via-windows-error-reporting-registry-key.yml diff --git a/nursery/persist-via-aedebug-registry-key.yml b/nursery/persist-via-aedebug-registry-key.yml new file mode 100644 index 00000000..aa185cc8 --- /dev/null +++ b/nursery/persist-via-aedebug-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via AeDebug registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\AeDebug/i + - string: /Debugger/i diff --git a/nursery/persist-via-amsi-registry-key.yml b/nursery/persist-via-amsi-registry-key.yml new file mode 100644 index 00000000..f22cfdf6 --- /dev/null +++ b/nursery/persist-via-amsi-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via AMSI registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience + features: + - and: + - match: set registry value + - string: /Microsoft\\AMSI\\Providers\\/i diff --git a/nursery/persist-via-app-paths-registry-key.yml b/nursery/persist-via-app-paths-registry-key.yml new file mode 100644 index 00000000..d937b723 --- /dev/null +++ b/nursery/persist-via-app-paths-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via App paths registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007] + references: + - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\CurrentVersion\\App Paths\\/i diff --git a/nursery/persist-via-appcertdlls-registry-key.yml b/nursery/persist-via-appcertdlls-registry-key.yml new file mode 100644 index 00000000..aede046c --- /dev/null +++ b/nursery/persist-via-appcertdlls-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via AppCertDlls registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::AppCert DLLs [T1546.009] + references: + - https://skanthak.hier-im-netz.de/appcert.html + features: + - and: + - match: set registry value + - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\AppCertDlls/i diff --git a/nursery/persist-via-appx-registry-key.yml b/nursery/persist-via-appx-registry-key.yml new file mode 100644 index 00000000..d7c9dbd6 --- /dev/null +++ b/nursery/persist-via-appx-registry-key.yml @@ -0,0 +1,22 @@ +rule: + meta: + name: persist via AppX registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ + features: + - and: + - match: set registry value + - or: + - string: /Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\/i + - and: + - string: /ActivatableClasses\\Package\\/i + - string: /DebugInformation/i + - string: /DebugPath/i diff --git a/nursery/persist-via-autodialdll-registry-key.yml b/nursery/persist-via-autodialdll-registry-key.yml new file mode 100644 index 00000000..01c68e8e --- /dev/null +++ b/nursery/persist-via-autodialdll-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via AutodialDLL registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/rras/autodial-connection-operations + - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ + features: + - and: + - match: set registry value + - string: /System\\(CurrentControlSet|ControlSet001)\\Services\\WinSock2\\Parameters/i + - string: /AutodialDLL/i diff --git a/nursery/persist-via-autoplayhandlers-registry-key.yml b/nursery/persist-via-autoplayhandlers-registry-key.yml new file mode 100644 index 00000000..687d7b8d --- /dev/null +++ b/nursery/persist-via-autoplayhandlers-registry-key.yml @@ -0,0 +1,22 @@ +rule: + meta: + name: persist via AutoplayHandlers registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/shell/how-to-register-a-handler-for-a-device-event + - https://www.hexacorn.com/blog/2019/09/07/beyond-good-ol-run-key-part-114/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoplayHandlers\\Handlers\\/i + - or: + - string: /Action/i + - string: /Provider/i + - string: /InitCmd/i diff --git a/nursery/persist-via-bootverificationprogram-registry-key.yml b/nursery/persist-via-bootverificationprogram-registry-key.yml new file mode 100644 index 00000000..de4c0273 --- /dev/null +++ b/nursery/persist-via-bootverificationprogram-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via BootVerificationProgram registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution [T1547] + references: + - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist + features: + - and: + - match: set registry value + - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\BootVerificationProgram/i + - string: /ImagePath/i diff --git a/nursery/persist-via-code-signing-registry-key.yml b/nursery/persist-via-code-signing-registry-key.yml new file mode 100644 index 00000000..c474c008 --- /dev/null +++ b/nursery/persist-via-code-signing-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Code signing registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf + features: + - and: + - match: set registry value + - and: + - string: /Microsoft\\Cryptography\\OID\\/i + - string: /^Dll$/i diff --git a/nursery/persist-via-com-hijack.yml b/nursery/persist-via-com-hijack.yml new file mode 100644 index 00000000..69c6a8be --- /dev/null +++ b/nursery/persist-via-com-hijack.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: persist via COM hijack + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015] + references: + - https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/ + - https://stmxcsr.com/persistence/com-hijacking.html + features: + - and: + - match: set registry value + - or: + - string: /Classes\\CLSID/i + - string: /Classes\\WOW6432Node\\CLSID/i + - or: + - string: /InProcServer32/i + - string: /LocalServer32/i diff --git a/nursery/persist-via-command-processor-registry-key.yml b/nursery/persist-via-command-processor-registry-key.yml new file mode 100644 index 00000000..656f8d99 --- /dev/null +++ b/nursery/persist-via-command-processor-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Command Processor registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433 + features: + - and: + - match: set registry value + - and: + - string: /Microsoft\\Command Processor/i + - string: /AutoRun/i diff --git a/nursery/persist-via-contextmenuhandlers-registry-key.yml b/nursery/persist-via-contextmenuhandlers-registry-key.yml new file mode 100644 index 00000000..790f7306 --- /dev/null +++ b/nursery/persist-via-contextmenuhandlers-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via ContextMenuHandlers registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://pentestlab.blog/2023/03/13/persistence-context-menu/ + - https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html + features: + - and: + - match: set registry value + - string: /\\shellex\\ContextMenuHandlers\\/i diff --git a/nursery/persist-via-cor_profiler_path-registry-value.yml b/nursery/persist-via-cor_profiler_path-registry-value.yml new file mode 100644 index 00000000..d593d573 --- /dev/null +++ b/nursery/persist-via-cor_profiler_path-registry-value.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via COR_PROFILER_PATH registry value + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow::COR_PROFILER [T1574.012] + references: + - https://redcanary.com/blog/threat-detection/cor_profiler-for-persistence/ + features: + - and: + - match: set registry value + - or: + - string: /Environment/i + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\Environment/i + - string: /COR_PROFILER_PATH/ diff --git a/nursery/persist-via-default-file-association-registry-key.yml b/nursery/persist-via-default-file-association-registry-key.yml new file mode 100644 index 00000000..6a1b25cf --- /dev/null +++ b/nursery/persist-via-default-file-association-registry-key.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via default file association registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Change Default File Association [T1546.001] + references: + - https://woshub.com/managing-default-file-associations-in-windows-10/ + features: + - and: + - match: set registry value + - or: + - string: /file\\shell\\open\\command/i + - string: /file\\shell\\print\\command/i + - string: /file\\shell\\printto\\command/i diff --git a/nursery/persist-via-disk-cleanup-handler-registry-key.yml b/nursery/persist-via-disk-cleanup-handler-registry-key.yml new file mode 100644 index 00000000..d71b378c --- /dev/null +++ b/nursery/persist-via-disk-cleanup-handler-registry-key.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via Disk Cleanup Handler registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ + - https://learn.microsoft.com/en-us/windows/win32/lwef/disk-cleanup + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\/i + - optional: + - match: persist via COM hijack diff --git a/nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml b/nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml new file mode 100644 index 00000000..a949bd29 --- /dev/null +++ b/nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via .NET DbgManagedDebugger registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2022 + features: + - and: + - match: set registry value + - string: /Microsoft\\.NETFramework/i + - string: /DbgManagedDebugger/i diff --git a/nursery/persist-via-dotnet_startup_hooks-registry-key.yml b/nursery/persist-via-dotnet_startup_hooks-registry-key.yml new file mode 100644 index 00000000..20e67b96 --- /dev/null +++ b/nursery/persist-via-dotnet_startup_hooks-registry-key.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: persist via DOTNET_STARTUP_HOOKS registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow::DLL Side-Loading [T1574.002] + references: + - https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md + features: + - or: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\Environment/i + - string: /DOTNET_STARTUP_HOOKS/i + - and: + - match: set registry value + - string: /Environment/i + - string: /DOTNET_STARTUP_HOOKS/i diff --git a/nursery/persist-via-explorer-tools-registry-key.yml b/nursery/persist-via-explorer-tools-registry-key.yml new file mode 100644 index 00000000..9f1d288d --- /dev/null +++ b/nursery/persist-via-explorer-tools-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via Explorer tools registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\/i diff --git a/nursery/persist-via-filter-handlers-registry-key.yml b/nursery/persist-via-filter-handlers-registry-key.yml new file mode 100644 index 00000000..116f71d9 --- /dev/null +++ b/nursery/persist-via-filter-handlers-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Filter Handlers registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-about + features: + - and: + - match: set registry value + - string: /\\\.(.*?)\\Handler/i + - optional: + - match: persist via COM hijack diff --git a/nursery/persist-via-group-policy-registry-key.yml b/nursery/persist-via-group-policy-registry-key.yml new file mode 100644 index 00000000..6bfb6bf5 --- /dev/null +++ b/nursery/persist-via-group-policy-registry-key.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: persist via Group Policy registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution [T1547] + references: + - None + features: + - and: + - match: set registry value + - and: + - or: + - string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\.*?\\.*/i + - string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\.*?\\.*/i + - string: /^Script$/i diff --git a/nursery/persist-via-hhctrl-com-hijack.yml b/nursery/persist-via-hhctrl-com-hijack.yml new file mode 100644 index 00000000..b2667066 --- /dev/null +++ b/nursery/persist-via-hhctrl-com-hijack.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via hhctrl COM hijack + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow [T1574] + references: + - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ + features: + - and: + # - match: persistence/registry/persist via COM hijack + - string: /{52A2AAAE-085D-4187-97EA-8C30DB990436}/i diff --git a/nursery/persist-via-htmlhelp-author-registry-key.yml b/nursery/persist-via-htmlhelp-author-registry-key.yml new file mode 100644 index 00000000..055ea587 --- /dev/null +++ b/nursery/persist-via-htmlhelp-author-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via HtmlHelp Author registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow [T1574] + references: + - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ + features: + - and: + - match: set registry value + - and: + - string: /Software\\Microsoft\\HtmlHelp Author/i + - string: /location/i diff --git a/nursery/persist-via-image-file-execution-options-registry-key.yml b/nursery/persist-via-image-file-execution-options-registry-key.yml new file mode 100644 index 00000000..97fc7894 --- /dev/null +++ b/nursery/persist-via-image-file-execution-options-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Image File Execution Options registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Image File Execution Options Injection [T1546.012] + references: + - https://www.malwarebytes.com/blog/101/2015/12/an-introduction-to-image-file-execution-options + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\/i + - string: /Debugger/i diff --git a/nursery/persist-via-lsa-registry-key.yml b/nursery/persist-via-lsa-registry-key.yml new file mode 100644 index 00000000..645906cc --- /dev/null +++ b/nursery/persist-via-lsa-registry-key.yml @@ -0,0 +1,28 @@ +rule: + meta: + name: persist via LSA registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution::Authentication Package [T1547.002] + - Persistence::Boot or Logon Autostart Execution::Security Support Provider [T1547.005] + references: + - https://learn.microsoft.com/en-us/windows/win32/secauthn/authentication-packages + - https://learn.microsoft.com/en-us/windows/win32/secmgmt/password-filters + features: + - and: + - match: set registry value + - or: + - and: + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Lsa/i + - or: + - string: /Authentication Packages/i + - string: /Notification packages/i + - string: /Security Packages/i + - and: + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\LsaExtensionConfig\\LsaSrv/i + - string: /Extensions/i diff --git a/nursery/persist-via-natural-language-registry-key.yml b/nursery/persist-via-natural-language-registry-key.yml new file mode 100644 index 00000000..60d4afcc --- /dev/null +++ b/nursery/persist-via-natural-language-registry-key.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via Natural Language registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution [T1547] + references: + - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ + features: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\ContentIndex\\Language\\/i + - or: + - string: /StemmerDLLPathOverride/i + - string: /WBDLLPathOverride/i diff --git a/nursery/persist-via-netsh-registry-key.yml b/nursery/persist-via-netsh-registry-key.yml new file mode 100644 index 00000000..fb955a4b --- /dev/null +++ b/nursery/persist-via-netsh-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via Netsh registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Netsh/i diff --git a/nursery/persist-via-network-provider-registry-key.yml b/nursery/persist-via-network-provider-registry-key.yml new file mode 100644 index 00000000..26b7e9c7 --- /dev/null +++ b/nursery/persist-via-network-provider-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via Network provider registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Modify Authentication Process::Network Provider DLL [T1556.008] + references: + - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy + features: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\.*\\NetworkProvider/i + - string: /ProviderPath/i diff --git a/nursery/persist-via-path-registry-key.yml b/nursery/persist-via-path-registry-key.yml new file mode 100644 index 00000000..5bab676d --- /dev/null +++ b/nursery/persist-via-path-registry-key.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via PATH registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007] + references: + - https://attack.mitre.org/techniques/T1574/007/ + features: + - and: + - match: set registry value + - or: + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\Environment/i + - string: /Environment/i + - string: /^PATH$/i diff --git a/nursery/persist-via-print-monitors-registry-key.yml b/nursery/persist-via-print-monitors-registry-key.yml new file mode 100644 index 00000000..5b19a50e --- /dev/null +++ b/nursery/persist-via-print-monitors-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Print Monitors registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution::Port Monitors [T1547.010] + references: + - https://stmxcsr.com/persistence/print-monitor.html + - https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor + features: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Monitors\\/i + - string: /^Driver$/i diff --git a/nursery/persist-via-rdp-startup-programs-registry-key.yml b/nursery/persist-via-rdp-startup-programs-registry-key.yml new file mode 100644 index 00000000..f7fa1bf9 --- /dev/null +++ b/nursery/persist-via-rdp-startup-programs-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via RDP startup programs registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside + - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist + features: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Terminal Server\\Wds\\rdpwd/i + - string: /^StartupPrograms$/i diff --git a/nursery/persist-via-silentprocessexit-registry-key.yml b/nursery/persist-via-silentprocessexit-registry-key.yml new file mode 100644 index 00000000..029f8048 --- /dev/null +++ b/nursery/persist-via-silentprocessexit-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via SilentProcessExit registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\.*/i + - string: /^MonitorProcess$/i diff --git a/nursery/persist-via-task-scheduler.yml b/nursery/persist-via-task-scheduler.yml new file mode 100644 index 00000000..66827cf0 --- /dev/null +++ b/nursery/persist-via-task-scheduler.yml @@ -0,0 +1,26 @@ +rule: + meta: + name: persist via Task Scheduler + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] + references: + - https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page + - https://stmxcsr.com/persistence/scheduled-tasks.html + features: + - or: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\/i + - string: /^Actions$/i + - and: + - match: host-interaction/process/create + - string: /schtasks(|\.exe) /i + - or: + - string: /\/change/i + - string: /\/create/i diff --git a/nursery/persist-via-telemetrycontroller-registry-key.yml b/nursery/persist-via-telemetrycontroller-registry-key.yml new file mode 100644 index 00000000..c2634e6e --- /dev/null +++ b/nursery/persist-via-telemetrycontroller-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via TelemetryController registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Scheduled Task/Job [T1053] + references: + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\/i + - string: /^Command$/i diff --git a/nursery/persist-via-timeproviders-registry-key.yml b/nursery/persist-via-timeproviders-registry-key.yml new file mode 100644 index 00000000..900535a6 --- /dev/null +++ b/nursery/persist-via-timeproviders-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via TimeProviders registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution::Time Providers [T1547.003] + references: + - https://stmxcsr.com/persistence/time-provider.html + - https://learn.microsoft.com/en-us/windows/win32/sysinfo/time-provider?redirectedfrom=MSDN + features: + - and: + - match: set registry value + - string: /System\\(CurrentControlSet|ControlSet001)\\Services\\W32Time\\TimeProviders\\/i + - string: /^DllName$/i diff --git a/nursery/persist-via-ts-initialprogram-registry-key.yml b/nursery/persist-via-ts-initialprogram-registry-key.yml new file mode 100644 index 00000000..5bd7ddf0 --- /dev/null +++ b/nursery/persist-via-ts-initialprogram-registry-key.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via TS InitialProgram registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://persistence-info.github.io/Data/tsinitialprogram.html + features: + - and: + - match: set registry value + - or: + - string: /\\Policies\\Microsoft\\Windows NT\\Terminal Services/i + - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Terminal Server\\WinStations\\RDP-Tcp/i + - string: /^InitialProgram$/i diff --git a/nursery/persist-via-universal-app-uri-registry-key.yml b/nursery/persist-via-universal-app-uri-registry-key.yml new file mode 100644 index 00000000..29e2cefc --- /dev/null +++ b/nursery/persist-via-universal-app-uri-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via Universal App Uri registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html + features: + - and: + - match: set registry value + - string: /Classes\\App.*\\Shell\\open\\command/i diff --git a/nursery/persist-via-userinitmprlogonscript-registry-value.yml b/nursery/persist-via-userinitmprlogonscript-registry-value.yml new file mode 100644 index 00000000..ebbd3e3a --- /dev/null +++ b/nursery/persist-via-userinitmprlogonscript-registry-value.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via UserInitMprLogonScript registry value + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Initialization Scripts::Logon Script (Windows) [T1037.001] + references: + - https://attack.mitre.org/techniques/T1037/001/ + features: + - and: + - match: set registry value + - or: + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\Environment/i + - string: /Environment/i + - string: /UserInitMprLogonScript/i diff --git a/nursery/persist-via-windows-error-reporting-registry-key.yml b/nursery/persist-via-windows-error-reporting-registry-key.yml new file mode 100644 index 00000000..16ddf3c4 --- /dev/null +++ b/nursery/persist-via-windows-error-reporting-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via Windows Error Reporting registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\Windows Error Reporting\\Hangs/i + - string: /Debugger/i From 0183d470fdf7615d67900d884f02ec3ff83c9c27 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:49:12 +0100 Subject: [PATCH 02/10] fix hhctrl com hijack match statement --- nursery/persist-via-hhctrl-com-hijack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nursery/persist-via-hhctrl-com-hijack.yml b/nursery/persist-via-hhctrl-com-hijack.yml index b2667066..25ce52c9 100644 --- a/nursery/persist-via-hhctrl-com-hijack.yml +++ b/nursery/persist-via-hhctrl-com-hijack.yml @@ -13,5 +13,5 @@ rule: - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ features: - and: - # - match: persistence/registry/persist via COM hijack + - match: persist via COM hijack - string: /{52A2AAAE-085D-4187-97EA-8C30DB990436}/i From 861336737797cfa0e40e2934d63ee69d7d01e58d Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:02:49 +0100 Subject: [PATCH 03/10] fix core_profiler_path rule --- nursery/persist-via-cor_profiler_path-registry-value.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/nursery/persist-via-cor_profiler_path-registry-value.yml b/nursery/persist-via-cor_profiler_path-registry-value.yml index d593d573..b9537e57 100644 --- a/nursery/persist-via-cor_profiler_path-registry-value.yml +++ b/nursery/persist-via-cor_profiler_path-registry-value.yml @@ -14,7 +14,5 @@ rule: features: - and: - match: set registry value - - or: - - string: /Environment/i - - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\Environment/i - - string: /COR_PROFILER_PATH/ + - string: /Environment/i + - string: /COR_PROFILER_PATH/i From d272d032c3af13d5a7c9f01e0edf62cd0963cb70 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:16:35 +0100 Subject: [PATCH 04/10] remove optional from disk cleanup handler rule --- nursery/persist-via-disk-cleanup-handler-registry-key.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/nursery/persist-via-disk-cleanup-handler-registry-key.yml b/nursery/persist-via-disk-cleanup-handler-registry-key.yml index d71b378c..8c125df0 100644 --- a/nursery/persist-via-disk-cleanup-handler-registry-key.yml +++ b/nursery/persist-via-disk-cleanup-handler-registry-key.yml @@ -16,5 +16,3 @@ rule: - and: - match: set registry value - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\/i - - optional: - - match: persist via COM hijack From 9f0a1316d235512674e004672468937aecdd5944 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:18:18 +0100 Subject: [PATCH 05/10] update dotnet_startup_hooks --- ...ersist-via-dotnet_startup_hooks-registry-key.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/nursery/persist-via-dotnet_startup_hooks-registry-key.yml b/nursery/persist-via-dotnet_startup_hooks-registry-key.yml index 20e67b96..2e285fca 100644 --- a/nursery/persist-via-dotnet_startup_hooks-registry-key.yml +++ b/nursery/persist-via-dotnet_startup_hooks-registry-key.yml @@ -12,12 +12,7 @@ rule: references: - https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md features: - - or: - - and: - - match: set registry value - - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\Environment/i - - string: /DOTNET_STARTUP_HOOKS/i - - and: - - match: set registry value - - string: /Environment/i - - string: /DOTNET_STARTUP_HOOKS/i + - and: + - match: set registry value + - string: /Environment/i + - string: /DOTNET_STARTUP_HOOKS/i From 7e21058c715b1bb65ea0dd0cb428629c62070539 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:57:43 +0100 Subject: [PATCH 06/10] improve filter handler rule --- nursery/persist-via-filter-handlers-registry-key.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nursery/persist-via-filter-handlers-registry-key.yml b/nursery/persist-via-filter-handlers-registry-key.yml index 116f71d9..53c0d8c3 100644 --- a/nursery/persist-via-filter-handlers-registry-key.yml +++ b/nursery/persist-via-filter-handlers-registry-key.yml @@ -14,6 +14,6 @@ rule: features: - and: - match: set registry value - - string: /\\\.(.*?)\\Handler/i - - optional: - - match: persist via COM hijack + - or: + - string: /\\\..*\\PersistentHandler/i + - string: /CLSID\\.*\\PersistentHandler/i From 33cb866dd759645ad722c15185f714a9483bce22 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:59:26 +0100 Subject: [PATCH 07/10] update persist via PATH --- nursery/persist-via-path-registry-key.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/nursery/persist-via-path-registry-key.yml b/nursery/persist-via-path-registry-key.yml index 5bab676d..ad52cf10 100644 --- a/nursery/persist-via-path-registry-key.yml +++ b/nursery/persist-via-path-registry-key.yml @@ -14,7 +14,5 @@ rule: features: - and: - match: set registry value - - or: - - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\Environment/i - - string: /Environment/i + - string: /Environment/i - string: /^PATH$/i From b39b92101038203b25838f8129f619a65d8efdab Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 3 Dec 2024 12:54:38 +0100 Subject: [PATCH 08/10] merge task schedule persistence with existing rule --- nursery/persist-via-task-scheduler.yml | 26 ------------------- .../schedule-task-via-schtasks.yml | 25 +++++++++++++----- 2 files changed, 18 insertions(+), 33 deletions(-) delete mode 100644 nursery/persist-via-task-scheduler.yml diff --git a/nursery/persist-via-task-scheduler.yml b/nursery/persist-via-task-scheduler.yml deleted file mode 100644 index 66827cf0..00000000 --- a/nursery/persist-via-task-scheduler.yml +++ /dev/null @@ -1,26 +0,0 @@ -rule: - meta: - name: persist via Task Scheduler - namespace: persistence/registry - authors: - - j.j.vannielen@utwente.nl - scopes: - static: function - dynamic: call - att&ck: - - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] - references: - - https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page - - https://stmxcsr.com/persistence/scheduled-tasks.html - features: - - or: - - and: - - match: set registry value - - string: /Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\/i - - string: /^Actions$/i - - and: - - match: host-interaction/process/create - - string: /schtasks(|\.exe) /i - - or: - - string: /\/change/i - - string: /\/create/i diff --git a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml index 4d7f58a3..8d42215a 100644 --- a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml +++ b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml @@ -4,18 +4,29 @@ rule: namespace: persistence/scheduled-tasks authors: - 0x534a@mailbox.org + - j.j.vannielen@utwente.nl scopes: static: function dynamic: thread att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] + references: + - https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page + - https://stmxcsr.com/persistence/scheduled-tasks.html examples: - 79cde1aa711e321b4939805d27e160be:0x401440 features: - - and: - - match: host-interaction/process/create - - or: - - and: - - string: /schtasks/i - - string: /\/create /i - - string: /Register-ScheduledTask /i + - or: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\/i + - string: /^Actions$/i + - and: + - match: host-interaction/process/create + - or: + - and: + - string: /schtasks/i + - or: + - string: /\/change/i + - string: /\/create/i + - string: /Register-ScheduledTask /i From cf67b5d51cf03e86167185944e336c3ff7a2b281 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 3 Dec 2024 12:56:35 +0100 Subject: [PATCH 09/10] update UserInitMprLogonScript rule --- nursery/persist-via-userinitmprlogonscript-registry-value.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/nursery/persist-via-userinitmprlogonscript-registry-value.yml b/nursery/persist-via-userinitmprlogonscript-registry-value.yml index ebbd3e3a..7022317a 100644 --- a/nursery/persist-via-userinitmprlogonscript-registry-value.yml +++ b/nursery/persist-via-userinitmprlogonscript-registry-value.yml @@ -14,7 +14,5 @@ rule: features: - and: - match: set registry value - - or: - - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\Environment/i - - string: /Environment/i + - string: /Environment/i - string: /UserInitMprLogonScript/i From 25b1b355760f07ec71eabca77338981028503f9c Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 3 Dec 2024 13:22:01 +0100 Subject: [PATCH 10/10] merge universal app uri with default file association; add better reference --- ...ia-default-file-association-registry-key.yml | 9 +++++---- ...rsist-via-universal-app-uri-registry-key.yml | 17 ----------------- 2 files changed, 5 insertions(+), 21 deletions(-) delete mode 100644 nursery/persist-via-universal-app-uri-registry-key.yml diff --git a/nursery/persist-via-default-file-association-registry-key.yml b/nursery/persist-via-default-file-association-registry-key.yml index 6a1b25cf..146c23ce 100644 --- a/nursery/persist-via-default-file-association-registry-key.yml +++ b/nursery/persist-via-default-file-association-registry-key.yml @@ -10,11 +10,12 @@ rule: att&ck: - Persistence::Event Triggered Execution::Change Default File Association [T1546.001] references: - - https://woshub.com/managing-default-file-associations-in-windows-10/ + - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/default-file-association + - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html features: - and: - match: set registry value - or: - - string: /file\\shell\\open\\command/i - - string: /file\\shell\\print\\command/i - - string: /file\\shell\\printto\\command/i + - string: /\\shell\\open\\command/i + - string: /\\shell\\print\\command/i + - string: /\\shell\\printto\\command/i diff --git a/nursery/persist-via-universal-app-uri-registry-key.yml b/nursery/persist-via-universal-app-uri-registry-key.yml deleted file mode 100644 index 29e2cefc..00000000 --- a/nursery/persist-via-universal-app-uri-registry-key.yml +++ /dev/null @@ -1,17 +0,0 @@ -rule: - meta: - name: persist via Universal App Uri registry key - namespace: persistence/registry - authors: - - j.j.vannielen@utwente.nl - scopes: - static: function - dynamic: call - att&ck: - - Persistence::Event Triggered Execution [T1546] - references: - - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html - features: - - and: - - match: set registry value - - string: /Classes\\App.*\\Shell\\open\\command/i