-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improve existing persistence rules (#953)
* Improve existing persistence rules by limiting their scope, and adding some more details. * Update persistence/startup-folder/write-file-to-startup-folder.yml Co-authored-by: Moritz <[email protected]> * change scope to call for shell command via WRM * Update persistence/startup-folder/write-file-to-startup-folder.yml Co-authored-by: Moritz <[email protected]> * fix startup folder persistence rule * change name screensaver persistence technique * change name screensaver persistence technique pt 2 * fix write to startup folder persistence rule --------- Co-authored-by: Moritz <[email protected]>
- Loading branch information
1 parent
ed816a8
commit ce5e041
Showing
11 changed files
with
39 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,7 +7,7 @@ rule: | |
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| dynamic: call | ||
| features: | ||
| - and: | ||
| - or: | ||
|
|
||
10 changes: 5 additions & 5 deletions
10
...ery/reference-screen-saver-executable.yml → .../persist-via-screensaver-registry-key.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,19 +1,19 @@ | ||
| rule: | ||
| meta: | ||
| name: reference screen saver executable | ||
| name: persist via screensaver registry key | ||
| namespace: persistence/screensaver | ||
| authors: | ||
| - [email protected] | ||
| description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| dynamic: call | ||
| att&ck: | ||
| - Persistence::Event Triggered Execution::Screensaver [T1546.002] | ||
| features: | ||
| - and: | ||
| - string: "SCRNSAVE.EXE" | ||
| - match: set registry value | ||
| - string: /Control Panel\\Desktop/i | ||
| - string: /^SCRNSAVE.EXE$/i | ||
| - optional: | ||
| - string: "ScreenSaveTimeOut" | ||
| - string: "Control Panel\\Desktop" | ||
| - match: set registry value |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,7 @@ rule: | |
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| dynamic: call | ||
| att&ck: | ||
| - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,7 @@ rule: | |
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| dynamic: call | ||
| att&ck: | ||
| - Persistence::Event Triggered Execution [T1546] | ||
| examples: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,7 @@ rule: | |
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| dynamic: call | ||
| att&ck: | ||
| - Persistence::Boot or Logon Autostart Execution::Active Setup [T1547.014] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,7 @@ rule: | |
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| dynamic: call | ||
| att&ck: | ||
| - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] | ||
| mbc: | ||
|
|
@@ -30,5 +30,7 @@ rule: | |
| - string: /User Shell Folders/i | ||
| - string: /RunServices/i | ||
| - string: /Policies\\Explorer\\Run/i | ||
| - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load/i | ||
| - and: | ||
| - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows/i | ||
| - string: /Load/i | ||
| - string: /System\\CurrentControlSet\\Control\\Session Manager\\BootExecute/i | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,11 +4,14 @@ rule: | |
| namespace: persistence/registry/winlogon-helper | ||
| authors: | ||
| - [email protected] | ||
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| dynamic: call | ||
| att&ck: | ||
| - Persistence::Boot or Logon Autostart Execution::Winlogon Helper DLL [T1547.004] | ||
| references: | ||
| - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/creating-a-policy-callback-function | ||
| examples: | ||
| - 9ff8e68343cc29c1036650fc153e69f7:0x47f818 | ||
| features: | ||
|
|
@@ -22,3 +25,7 @@ rule: | |
| - string: /Notify/i | ||
| - string: /Userinit/i | ||
| - string: /Shell/i | ||
| - string: /mpnotify/i | ||
| - and: | ||
| - string: /GPExtensions/i | ||
| - string: /DllName/i | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,7 @@ rule: | |
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| dynamic: call | ||
| att&ck: | ||
| - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] | ||
| examples: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,7 @@ rule: | |
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| dynamic: call | ||
| att&ck: | ||
| - Persistence::Create or Modify System Process::Windows Service [T1543.003] | ||
| - Execution::System Services::Service Execution [T1569.002] | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,6 +4,7 @@ rule: | |
| namespace: persistence/startup-folder | ||
| authors: | ||
| - [email protected] | ||
| - [email protected] | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
|
|
@@ -12,9 +13,17 @@ rule: | |
| examples: | ||
| - 07F7846BBCDA782E5639292AD93907EB:0x401040 | ||
| features: | ||
| - and: | ||
| - match: get startup folder | ||
| - or: | ||
| - match: copy file | ||
| - match: move file | ||
| - match: host-interaction/file-system/write | ||
| - or: | ||
| - and: | ||
| - match: get startup folder | ||
| - or: | ||
| - match: copy file | ||
| - match: move file | ||
| - match: write file on Windows | ||
| - call: | ||
| - and: | ||
| - string: /Start Menu\\Programs\\Startup/i | ||
| - or: | ||
| - match: copy file | ||
| - match: move file | ||
| - match: write file on Windows | ||