Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 38 new registry-based persistence techniques #954

Merged
18 changes: 18 additions & 0 deletions nursery/persist-via-aedebug-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via AeDebug registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows NT\\CurrentVersion\\AeDebug/i
- string: /Debugger/i
17 changes: 17 additions & 0 deletions nursery/persist-via-amsi-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
rule:
meta:
name: persist via AMSI registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience
features:
- and:
- match: set registry value
- string: /Microsoft\\AMSI\\Providers\\/i
17 changes: 17 additions & 0 deletions nursery/persist-via-app-paths-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
rule:
meta:
name: persist via App paths registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007]
references:
- https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows\\CurrentVersion\\App Paths\\/i
17 changes: 17 additions & 0 deletions nursery/persist-via-appcertdlls-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
rule:
meta:
name: persist via AppCertDlls registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::AppCert DLLs [T1546.009]
references:
- https://skanthak.hier-im-netz.de/appcert.html
features:
- and:
- match: set registry value
- string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\AppCertDlls/i
22 changes: 22 additions & 0 deletions nursery/persist-via-appx-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
rule:
meta:
name: persist via AppX registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
features:
- and:
- match: set registry value
- or:
- string: /Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\/i
- and:
- string: /ActivatableClasses\\Package\\/i
- string: /DebugInformation/i
- string: /DebugPath/i
19 changes: 19 additions & 0 deletions nursery/persist-via-autodialdll-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rule:
meta:
name: persist via AutodialDLL registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/rras/autodial-connection-operations
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
features:
- and:
- match: set registry value
- string: /System\\(CurrentControlSet|ControlSet001)\\Services\\WinSock2\\Parameters/i
- string: /AutodialDLL/i
22 changes: 22 additions & 0 deletions nursery/persist-via-autoplayhandlers-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
rule:
meta:
name: persist via AutoplayHandlers registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/shell/how-to-register-a-handler-for-a-device-event
- https://www.hexacorn.com/blog/2019/09/07/beyond-good-ol-run-key-part-114/
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoplayHandlers\\Handlers\\/i
- or:
- string: /Action/i
- string: /Provider/i
- string: /InitCmd/i
18 changes: 18 additions & 0 deletions nursery/persist-via-bootverificationprogram-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via BootVerificationProgram registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Boot or Logon Autostart Execution [T1547]
references:
- https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
features:
- and:
- match: set registry value
- string: /System\\(CurrentControlSet|ControlSet001)\\Control\\BootVerificationProgram/i
- string: /ImagePath/i
19 changes: 19 additions & 0 deletions nursery/persist-via-code-signing-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rule:
meta:
name: persist via Code signing registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf
features:
- and:
- match: set registry value
- and:
- string: /Microsoft\\Cryptography\\OID\\/i
- string: /^Dll$/i
23 changes: 23 additions & 0 deletions nursery/persist-via-com-hijack.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
rule:
meta:
name: persist via COM hijack
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015]
references:
- https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/
- https://stmxcsr.com/persistence/com-hijacking.html
features:
- and:
- match: set registry value
- or:
- string: /Classes\\CLSID/i
- string: /Classes\\WOW6432Node\\CLSID/i
- or:
- string: /InProcServer32/i
- string: /LocalServer32/i
19 changes: 19 additions & 0 deletions nursery/persist-via-command-processor-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rule:
meta:
name: persist via Command Processor registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433
features:
- and:
- match: set registry value
- and:
- string: /Microsoft\\Command Processor/i
- string: /AutoRun/i
18 changes: 18 additions & 0 deletions nursery/persist-via-contextmenuhandlers-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via ContextMenuHandlers registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://pentestlab.blog/2023/03/13/persistence-context-menu/
- https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html
features:
- and:
- match: set registry value
- string: /\\shellex\\ContextMenuHandlers\\/i
18 changes: 18 additions & 0 deletions nursery/persist-via-cor_profiler_path-registry-value.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via COR_PROFILER_PATH registry value
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Hijack Execution Flow::COR_PROFILER [T1574.012]
references:
- https://redcanary.com/blog/threat-detection/cor_profiler-for-persistence/
features:
- and:
- match: set registry value
- string: /Environment/i
- string: /COR_PROFILER_PATH/i
21 changes: 21 additions & 0 deletions nursery/persist-via-default-file-association-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
rule:
meta:
name: persist via default file association registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::Change Default File Association [T1546.001]
references:
- https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/default-file-association
- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
features:
- and:
- match: set registry value
- or:
- string: /\\shell\\open\\command/i
- string: /\\shell\\print\\command/i
- string: /\\shell\\printto\\command/i
18 changes: 18 additions & 0 deletions nursery/persist-via-disk-cleanup-handler-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via Disk Cleanup Handler registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
- https://learn.microsoft.com/en-us/windows/win32/lwef/disk-cleanup
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\/i
18 changes: 18 additions & 0 deletions nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via .NET DbgManagedDebugger registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2022
features:
- and:
- match: set registry value
- string: /Microsoft\\.NETFramework/i
- string: /DbgManagedDebugger/i
18 changes: 18 additions & 0 deletions nursery/persist-via-dotnet_startup_hooks-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
rule:
meta:
name: persist via DOTNET_STARTUP_HOOKS registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Hijack Execution Flow::DLL Side-Loading [T1574.002]
references:
- https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md
features:
- and:
- match: set registry value
- string: /Environment/i
- string: /DOTNET_STARTUP_HOOKS/i
17 changes: 17 additions & 0 deletions nursery/persist-via-explorer-tools-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
rule:
meta:
name: persist via Explorer tools registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
features:
- and:
- match: set registry value
- string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\/i
19 changes: 19 additions & 0 deletions nursery/persist-via-filter-handlers-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rule:
meta:
name: persist via Filter Handlers registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution [T1546]
references:
- https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-about
features:
- and:
- match: set registry value
- or:
- string: /\\\..*\\PersistentHandler/i
- string: /CLSID\\.*\\PersistentHandler/i
21 changes: 21 additions & 0 deletions nursery/persist-via-group-policy-registry-key.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
rule:
meta:
name: persist via Group Policy registry key
namespace: persistence/registry
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Boot or Logon Autostart Execution [T1547]
references:
- None
features:
- and:
- match: set registry value
- and:
- or:
- string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\.*?\\.*/i
- string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\.*?\\.*/i
- string: /^Script$/i
Loading
Loading