Merge pull request #956 from jorik-utwente/add-miscellaneous-persiste…

…nce-techniques Add 4 miscellaneous persistence techniques
mandiant · Nov 25, 2024 · f3bb093 · f3bb093
2 parents e50d824 + 5873d7f
commit f3bb093
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 17 deletions.
diff --git a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml
@@ -7,26 +7,40 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: unsupported  # requires offset, bytes features
+      dynamic: call
     att&ck:
       - Execution::Windows Management Instrumentation [T1047]
     examples:
       - al-khaser_x64.exe_:0x14001956e
       - al-khaser_x86.exe_:0x00445270
   features:
-    - and:
-      - basic block:
-        - and:
-          - api: ole32.CoCreateInstance
-          - com/class: WbemLocator  # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
-          - com/interface: IWbemLocator  # 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator
-      - or:
-        - and:
-          - arch: i386
-          - offset: 0xC = ppv->ConnectServer
-        - and:
-          - arch: amd64
-          - offset: 0x18 = ppv->ConnectServer
-      - optional:
-        - string: /ROOT\\CIMV2/i
-        - string: /ROOT\\DEFAULT/i
+    - or:
+      - call:
+        - description: dynamic detection rule
+        - or:
+          - and:
+            - api: ole32.CoCreateInstance
+            - com/class: WbemLocator  # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
+          - and:
+            - match: host-interaction/process/create
+            - or:
+              - string: /wmic(|\.exe) /i
+              - string: /Register-WMIEvent /i
+      - and:
+        - description: static detection rule
+        - basic block:
+          - and:
+            - api: ole32.CoCreateInstance
+            - com/class: WbemLocator  # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
+            - com/interface: IWbemLocator  # 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator
+        - basic block:
+          - or:
+            - and:
+              - arch: i386
+              - offset: 0xC = ppv->ConnectServer
+            - and:
+              - arch: amd64
+              - offset: 0x18 = ppv->ConnectServer
+        - optional:
+          - string: /ROOT\\CIMV2/i
+          - string: /ROOT\\DEFAULT/i
diff --git a/nursery/persist-via-application-shimming.yml b/nursery/persist-via-application-shimming.yml
@@ -0,0 +1,29 @@
+rule:
+  meta:
+    name: persist via application shimming
+    namespace: persistence
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Application Shimming [T1546.011]
+    references:
+      - https://cloud.google.com/blog/topics/threat-intelligence/fin7-shim-databases-persistence/
+  features:
+    - or:
+      - and:
+        - match: set registry value
+        - string: /Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\/i
+        - string: /DatabasePath/i
+      - and:
+        - description: Malware can overwrite existing shimming files to gain persistence
+        - or:
+          - match: copy file
+          - match: move file
+          - match: host-interaction/file-system/write
+        - string: /.sdb/i
+      - and:
+        - match: host-interaction/process/create
+        - string: /sdbinst(|\.exe) /i
diff --git a/nursery/persist-via-bits-job.yml b/nursery/persist-via-bits-job.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: persist via BITS job
+    namespace: persistence
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::BITS Jobs [T1197]
+    references:
+      - https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/
+  features:
+    - and:
+      - match: host-interaction/process/create
+      - or:
+        - and:
+          - string: /bitsadmin(|\.exe) /i
+          - string: /\/SetNotifyCmdLine/i
+        - and:
+          - or:
+            - string: /Set-BitsTransfer /i
+            - string: /Start-BitsTransfer /i
+          - string: / -NotifyCmdLine /i
diff --git a/nursery/persist-via-print-processors-registry-key.yml b/nursery/persist-via-print-processors-registry-key.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: persist via Print Processors registry key
+    namespace: persistence
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Print Processors [T1547.012]
+    references:
+      - https://stmxcsr.com/persistence/print-processor.html
+  features:
+    - or:
+      - and:
+        - match: set registry value
+        - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Environments\\.*\\Print Processors\\/i
+        - string: /^Driver$/i
+      - and:
+        - or:
+          - match: copy file
+          - match: move file
+          - match: host-interaction/file-system/write
+        - string: /\\spool\\PRTPROCS\\/i