Add 4 miscellaneous persistence techniques

[jorik-utwente]

Add 4 miscellaneous persistence techniques.

The BITS Jobs and WMI subscription rules may result in false positives because of the ole32.CoCreateInstance matching.
We might want to remove that part, but that would result in false negatives. Thoughts on this are welcome! :)

This PR requires #952 to be merged.

[mr-tz]

very cool, see my initial feedback attached

[mr-tz]

do you think it's enough signal to just see the COM usage?

[jorik-utwente]

There could be false positives here indeed, but from my experience malware mostly uses BITS for persistence. So in this case I would argue the COM usage is enough

[mr-tz]

per the reference, BITS could also be used to download a payload, for example

[mr-tz]

we could change the rule to detect BITS usage in general here

[jorik-utwente]

I removed the COM part in the latest commit. Now the rule looks for the cmd/powershell commands. This removes the false positives. As you said, we could add a rule in the future to detect BITS usage in general.

[mr-tz]

do you think it's enough signal to just see the COM usage?

[jorik-utwente]

Malware also uses WMI for information gathering etc.. To reduce false positives we should remove it indeed. I don't see any way in Cape that we can use to reduce the false positives, as we can't match the communication with WMI.

[mr-tz]

agreed, for static analysis we could add more details, for dynamic I'd have to do more research myself to see what features are available

[mr-tz]

like above we could generalize the rule to detect WMI usage

[jorik-utwente]

I moved this to the rule for WMI usage detection. Let me know what you think.

[mr-tz]

LGTM, thank you!

[mr-tz]

this is great, thank you!