From ce5e0410066931f815b74eda0b68b031e978c1a2 Mon Sep 17 00:00:00 2001 From: Jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Mon, 9 Dec 2024 10:51:47 +0100 Subject: [PATCH] Improve existing persistence rules (#953) * Improve existing persistence rules by limiting their scope, and adding some more details. * Update persistence/startup-folder/write-file-to-startup-folder.yml Co-authored-by: Moritz * change scope to call for shell command via WRM * Update persistence/startup-folder/write-file-to-startup-folder.yml Co-authored-by: Moritz * fix startup folder persistence rule * change name screensaver persistence technique * change name screensaver persistence technique pt 2 * fix write to startup folder persistence rule --------- Co-authored-by: Moritz --- ...-command-via-windows-remote-management.yml | 2 +- ... persist-via-screensaver-registry-key.yml} | 10 ++++----- .../persist-via-appinit_dlls-registry-key.yml | 2 +- .../persist-via-ginadll-registry-key.yml | 2 +- .../persist-via-active-setup-registry-key.yml | 2 +- .../run/persist-via-run-registry-key.yml | 6 ++++-- ...t-via-winlogon-helper-dll-registry-key.yml | 9 +++++++- .../scheduled-tasks/schedule-task-via-at.yml | 2 +- .../schedule-task-via-schtasks.yml | 2 +- .../service/persist-via-windows-service.yml | 2 +- .../write-file-to-startup-folder.yml | 21 +++++++++++++------ 11 files changed, 39 insertions(+), 21 deletions(-) rename nursery/{reference-screen-saver-executable.yml => persist-via-screensaver-registry-key.yml} (69%) diff --git a/nursery/execute-shell-command-via-windows-remote-management.yml b/nursery/execute-shell-command-via-windows-remote-management.yml index b5281be3..4fed57d0 100644 --- a/nursery/execute-shell-command-via-windows-remote-management.yml +++ b/nursery/execute-shell-command-via-windows-remote-management.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: call features: - and: - or: diff --git a/nursery/reference-screen-saver-executable.yml b/nursery/persist-via-screensaver-registry-key.yml similarity index 69% rename from nursery/reference-screen-saver-executable.yml rename to nursery/persist-via-screensaver-registry-key.yml index f7cfd02a..a916936f 100644 --- a/nursery/reference-screen-saver-executable.yml +++ b/nursery/persist-via-screensaver-registry-key.yml @@ -1,19 +1,19 @@ rule: meta: - name: reference screen saver executable + name: persist via screensaver registry key namespace: persistence/screensaver authors: - michael.hunhoff@mandiant.com description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Event Triggered Execution::Screensaver [T1546.002] features: - and: - - string: "SCRNSAVE.EXE" + - match: set registry value + - string: /Control Panel\\Desktop/i + - string: /^SCRNSAVE.EXE$/i - optional: - string: "ScreenSaveTimeOut" - - string: "Control Panel\\Desktop" - - match: set registry value diff --git a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml index 3e4c1481..cb840210 100644 --- a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml +++ b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@fireye.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] references: diff --git a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml index f947da93..3316928b 100644 --- a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml +++ b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@fireye.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Event Triggered Execution [T1546] examples: diff --git a/persistence/registry/persist-via-active-setup-registry-key.yml b/persistence/registry/persist-via-active-setup-registry-key.yml index 54b8f0cf..79a6d9a7 100644 --- a/persistence/registry/persist-via-active-setup-registry-key.yml +++ b/persistence/registry/persist-via-active-setup-registry-key.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Boot or Logon Autostart Execution::Active Setup [T1547.014] references: diff --git a/persistence/registry/run/persist-via-run-registry-key.yml b/persistence/registry/run/persist-via-run-registry-key.yml index 0d7dbf59..8c5b8fb8 100644 --- a/persistence/registry/run/persist-via-run-registry-key.yml +++ b/persistence/registry/run/persist-via-run-registry-key.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] mbc: @@ -30,5 +30,7 @@ rule: - string: /User Shell Folders/i - string: /RunServices/i - string: /Policies\\Explorer\\Run/i - - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load/i + - and: + - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows/i + - string: /Load/i - string: /System\\CurrentControlSet\\Control\\Session Manager\\BootExecute/i diff --git a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml index 93da27e9..c6b9ff5c 100644 --- a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml +++ b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml @@ -4,11 +4,14 @@ rule: namespace: persistence/registry/winlogon-helper authors: - 0x534a@mailbox.org + - j.j.vannielen@utwente.nl scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Boot or Logon Autostart Execution::Winlogon Helper DLL [T1547.004] + references: + - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/creating-a-policy-callback-function examples: - 9ff8e68343cc29c1036650fc153e69f7:0x47f818 features: @@ -22,3 +25,7 @@ rule: - string: /Notify/i - string: /Userinit/i - string: /Shell/i + - string: /mpnotify/i + - and: + - string: /GPExtensions/i + - string: /DllName/i diff --git a/persistence/scheduled-tasks/schedule-task-via-at.yml b/persistence/scheduled-tasks/schedule-task-via-at.yml index c2476e3c..6bc15d0e 100644 --- a/persistence/scheduled-tasks/schedule-task-via-at.yml +++ b/persistence/scheduled-tasks/schedule-task-via-at.yml @@ -6,7 +6,7 @@ rule: - joren485 scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Scheduled Task/Job::At [T1053.002] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml index 4d7f58a3..18bbeec3 100644 --- a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml +++ b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml @@ -6,7 +6,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] examples: diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml index 041e2425..695dac41 100644 --- a/persistence/service/persist-via-windows-service.yml +++ b/persistence/service/persist-via-windows-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 88a64959..2b88013d 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -4,6 +4,7 @@ rule: namespace: persistence/startup-folder authors: - matthew.williams@mandiant.com + - j.j.vannielen@utwente.nl scopes: static: function dynamic: thread @@ -12,9 +13,17 @@ rule: examples: - 07F7846BBCDA782E5639292AD93907EB:0x401040 features: - - and: - - match: get startup folder - - or: - - match: copy file - - match: move file - - match: host-interaction/file-system/write + - or: + - and: + - match: get startup folder + - or: + - match: copy file + - match: move file + - match: write file on Windows + - call: + - and: + - string: /Start Menu\\Programs\\Startup/i + - or: + - match: copy file + - match: move file + - match: write file on Windows