From 3b3309e050171d8e185f063bedf08902f3999745 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Mon, 4 Nov 2024 17:24:24 +0100 Subject: [PATCH 1/8] Improve existing persistence rules by limiting their scope, and adding some more details. --- nursery/reference-screen-saver-executable.yml | 10 ++++---- .../persist-via-appinit_dlls-registry-key.yml | 2 +- .../persist-via-ginadll-registry-key.yml | 2 +- .../persist-via-active-setup-registry-key.yml | 2 +- .../run/persist-via-run-registry-key.yml | 6 +++-- ...t-via-winlogon-helper-dll-registry-key.yml | 9 ++++++- .../scheduled-tasks/schedule-task-via-at.yml | 2 +- .../schedule-task-via-schtasks.yml | 2 +- .../service/persist-via-windows-service.yml | 2 +- .../write-file-to-startup-folder.yml | 24 ++++++++++++++----- 10 files changed, 41 insertions(+), 20 deletions(-) diff --git a/nursery/reference-screen-saver-executable.yml b/nursery/reference-screen-saver-executable.yml index f7cfd02a..a916936f 100644 --- a/nursery/reference-screen-saver-executable.yml +++ b/nursery/reference-screen-saver-executable.yml @@ -1,19 +1,19 @@ rule: meta: - name: reference screen saver executable + name: persist via screensaver registry key namespace: persistence/screensaver authors: - michael.hunhoff@mandiant.com description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Event Triggered Execution::Screensaver [T1546.002] features: - and: - - string: "SCRNSAVE.EXE" + - match: set registry value + - string: /Control Panel\\Desktop/i + - string: /^SCRNSAVE.EXE$/i - optional: - string: "ScreenSaveTimeOut" - - string: "Control Panel\\Desktop" - - match: set registry value diff --git a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml index 3e4c1481..cb840210 100644 --- a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml +++ b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@fireye.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] references: diff --git a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml index f947da93..3316928b 100644 --- a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml +++ b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@fireye.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Event Triggered Execution [T1546] examples: diff --git a/persistence/registry/persist-via-active-setup-registry-key.yml b/persistence/registry/persist-via-active-setup-registry-key.yml index 54b8f0cf..79a6d9a7 100644 --- a/persistence/registry/persist-via-active-setup-registry-key.yml +++ b/persistence/registry/persist-via-active-setup-registry-key.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Boot or Logon Autostart Execution::Active Setup [T1547.014] references: diff --git a/persistence/registry/run/persist-via-run-registry-key.yml b/persistence/registry/run/persist-via-run-registry-key.yml index 0d7dbf59..8c5b8fb8 100644 --- a/persistence/registry/run/persist-via-run-registry-key.yml +++ b/persistence/registry/run/persist-via-run-registry-key.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] mbc: @@ -30,5 +30,7 @@ rule: - string: /User Shell Folders/i - string: /RunServices/i - string: /Policies\\Explorer\\Run/i - - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load/i + - and: + - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows/i + - string: /Load/i - string: /System\\CurrentControlSet\\Control\\Session Manager\\BootExecute/i diff --git a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml index 93da27e9..c6b9ff5c 100644 --- a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml +++ b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml @@ -4,11 +4,14 @@ rule: namespace: persistence/registry/winlogon-helper authors: - 0x534a@mailbox.org + - j.j.vannielen@utwente.nl scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Boot or Logon Autostart Execution::Winlogon Helper DLL [T1547.004] + references: + - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/creating-a-policy-callback-function examples: - 9ff8e68343cc29c1036650fc153e69f7:0x47f818 features: @@ -22,3 +25,7 @@ rule: - string: /Notify/i - string: /Userinit/i - string: /Shell/i + - string: /mpnotify/i + - and: + - string: /GPExtensions/i + - string: /DllName/i diff --git a/persistence/scheduled-tasks/schedule-task-via-at.yml b/persistence/scheduled-tasks/schedule-task-via-at.yml index c2476e3c..6bc15d0e 100644 --- a/persistence/scheduled-tasks/schedule-task-via-at.yml +++ b/persistence/scheduled-tasks/schedule-task-via-at.yml @@ -6,7 +6,7 @@ rule: - joren485 scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Scheduled Task/Job::At [T1053.002] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml index 4d7f58a3..18bbeec3 100644 --- a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml +++ b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml @@ -6,7 +6,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] examples: diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml index 041e2425..695dac41 100644 --- a/persistence/service/persist-via-windows-service.yml +++ b/persistence/service/persist-via-windows-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: call att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 88a64959..65741911 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -4,6 +4,7 @@ rule: namespace: persistence/startup-folder authors: - matthew.williams@mandiant.com + - j.j.vannielen@utwente.nl scopes: static: function dynamic: thread @@ -12,9 +13,20 @@ rule: examples: - 07F7846BBCDA782E5639292AD93907EB:0x401040 features: - - and: - - match: get startup folder - - or: - - match: copy file - - match: move file - - match: host-interaction/file-system/write + - or: + - and: + - match: get startup folder + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - call: + - and: + - or: + - string: /Microsoft\\Windows\\Start Menu\\Programs\\Startup\\/i + - string: /Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\/i + - string: /WINNT\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\/i + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write \ No newline at end of file From 9865e9812019bda14febe29c8db5ca94ed1a21fb Mon Sep 17 00:00:00 2001 From: Jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:20:17 +0100 Subject: [PATCH 2/8] Update persistence/startup-folder/write-file-to-startup-folder.yml Co-authored-by: Moritz --- persistence/startup-folder/write-file-to-startup-folder.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 65741911..ba5b6567 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -29,4 +29,4 @@ rule: - or: - match: copy file - match: move file - - match: host-interaction/file-system/write \ No newline at end of file + - match: host-interaction/file-system/write From 48199ae79b30914f6bcd43144f49b97d5df5d5fc Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Thu, 5 Dec 2024 11:59:40 +0100 Subject: [PATCH 3/8] change scope to call for shell command via WRM --- nursery/execute-shell-command-via-windows-remote-management.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nursery/execute-shell-command-via-windows-remote-management.yml b/nursery/execute-shell-command-via-windows-remote-management.yml index b5281be3..4fed57d0 100644 --- a/nursery/execute-shell-command-via-windows-remote-management.yml +++ b/nursery/execute-shell-command-via-windows-remote-management.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: call features: - and: - or: From 7d5aa63685093289886f736b719a128f676f9408 Mon Sep 17 00:00:00 2001 From: Jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Thu, 5 Dec 2024 13:52:05 +0100 Subject: [PATCH 4/8] Update persistence/startup-folder/write-file-to-startup-folder.yml Co-authored-by: Moritz --- persistence/startup-folder/write-file-to-startup-folder.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index ba5b6567..87f9526a 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -29,4 +29,4 @@ rule: - or: - match: copy file - match: move file - - match: host-interaction/file-system/write + - match: write file on Windows From 26742fefedf29daaed5b3b38af144d1b66c95c68 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Thu, 5 Dec 2024 13:54:57 +0100 Subject: [PATCH 5/8] fix startup folder persistence rule --- .../startup-folder/write-file-to-startup-folder.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 87f9526a..9465a53f 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -19,13 +19,10 @@ rule: - or: - match: copy file - match: move file - - match: host-interaction/file-system/write + - match: write file on Windows - call: - and: - - or: - - string: /Microsoft\\Windows\\Start Menu\\Programs\\Startup\\/i - - string: /Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\/i - - string: /WINNT\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\/i + - match: reference startup folder - or: - match: copy file - match: move file From f5223cd5a33faf5cd46116d1b0fcdebe8e1d9c05 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Mon, 9 Dec 2024 10:29:44 +0100 Subject: [PATCH 6/8] change name screensaver persistence technique --- nursery/reference-screen-saver-executable.yml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 nursery/reference-screen-saver-executable.yml diff --git a/nursery/reference-screen-saver-executable.yml b/nursery/reference-screen-saver-executable.yml deleted file mode 100644 index a916936f..00000000 --- a/nursery/reference-screen-saver-executable.yml +++ /dev/null @@ -1,19 +0,0 @@ -rule: - meta: - name: persist via screensaver registry key - namespace: persistence/screensaver - authors: - - michael.hunhoff@mandiant.com - description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file - scopes: - static: function - dynamic: call - att&ck: - - Persistence::Event Triggered Execution::Screensaver [T1546.002] - features: - - and: - - match: set registry value - - string: /Control Panel\\Desktop/i - - string: /^SCRNSAVE.EXE$/i - - optional: - - string: "ScreenSaveTimeOut" From 30b5bcac6885acd560561e49e9b9cde421f01347 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Mon, 9 Dec 2024 10:33:39 +0100 Subject: [PATCH 7/8] change name screensaver persistence technique pt 2 --- .../persist-via-screensaver-registry-key.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 nursery/persist-via-screensaver-registry-key.yml diff --git a/nursery/persist-via-screensaver-registry-key.yml b/nursery/persist-via-screensaver-registry-key.yml new file mode 100644 index 00000000..a916936f --- /dev/null +++ b/nursery/persist-via-screensaver-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via screensaver registry key + namespace: persistence/screensaver + authors: + - michael.hunhoff@mandiant.com + description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Screensaver [T1546.002] + features: + - and: + - match: set registry value + - string: /Control Panel\\Desktop/i + - string: /^SCRNSAVE.EXE$/i + - optional: + - string: "ScreenSaveTimeOut" From bb0aae983d9e3f083c75fbaa56989fd907391c39 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Mon, 9 Dec 2024 10:34:03 +0100 Subject: [PATCH 8/8] fix write to startup folder persistence rule --- persistence/startup-folder/write-file-to-startup-folder.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 9465a53f..2b88013d 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -22,7 +22,7 @@ rule: - match: write file on Windows - call: - and: - - match: reference startup folder + - string: /Start Menu\\Programs\\Startup/i - or: - match: copy file - match: move file