Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 4 miscellaneous persistence techniques #956

Merged
merged 7 commits into from
Nov 25, 2024
Merged

Add 4 miscellaneous persistence techniques #956

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
48621e0
Add 4 miscellaneous persistence techniques.
jorik-utwente Nov 5, 2024
1d7ef45
change to COM tag
jorik-utwente Nov 13, 2024
f23aaa7
change namespaces
jorik-utwente Nov 13, 2024
d95d7b6
add sdbinst.exe to shimming rule
jorik-utwente Nov 13, 2024
2627820
add comment about overwriting .sdb files
jorik-utwente Nov 15, 2024
82a9d40
move WMI persistence rule to WMI usage detection rule
jorik-utwente Nov 22, 2024
5873d7f
Remove COM usage detection from BITS jobs persistence
jorik-utwente Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions nursery/persist-via-application-shimming.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
rule:
meta:
name: persist via application shimming
namespace: persistence
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::Application Shimming [T1546.011]
references:
- https://cloud.google.com/blog/topics/threat-intelligence/fin7-shim-databases-persistence/
features:
jorik-utwente marked this conversation as resolved.
Show resolved Hide resolved
- or:
- and:
- match: set registry value
- string: /Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\/i
jorik-utwente marked this conversation as resolved.
Show resolved Hide resolved
- string: /DatabasePath/i
- and:
- or:
- match: copy file
- match: move file
- match: host-interaction/file-system/write
- string: /.sdb/i
jorik-utwente marked this conversation as resolved.
Show resolved Hide resolved
- and:
- match: host-interaction/process/create
- string: /sdbinst(|\.exe) /i
29 changes: 29 additions & 0 deletions nursery/persist-via-bits-job.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
rule:
meta:
name: persist via BITS job
namespace: persistence
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::BITS Jobs [T1197]
references:
- https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/
features:
- or:
- and:
- api: ole32.CoCreateInstance
- com/class: BackgroundCopyManager # 4991d34b-80a1-4291-83b6-3328366b9097
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you think it's enough signal to just see the COM usage?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There could be false positives here indeed, but from my experience malware mostly uses BITS for persistence. So in this case I would argue the COM usage is enough

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per the reference, BITS could also be used to download a payload, for example

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could change the rule to detect BITS usage in general here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the COM part in the latest commit. Now the rule looks for the cmd/powershell commands. This removes the false positives. As you said, we could add a rule in the future to detect BITS usage in general.

- and:
- match: host-interaction/process/create
- or:
- and:
- string: /bitsadmin(|\.exe) /i
- string: /\/SetNotifyCmdLine/i
- and:
- or:
- string: /Set-BitsTransfer /i
- string: /Start-BitsTransfer /i
- string: / -NotifyCmdLine /i
25 changes: 25 additions & 0 deletions nursery/persist-via-print-processors-registry-key.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
rule:
meta:
name: persist via Print Processors registry key
namespace: persistence
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Boot or Logon Autostart Execution::Print Processors [T1547.012]
references:
- https://stmxcsr.com/persistence/print-processor.html
features:
- or:
- and:
- match: set registry value
- string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Environments\\.*\\Print Processors\\/i
- string: /^Driver$/i
- and:
- or:
- match: copy file
- match: move file
- match: host-interaction/file-system/write
- string: /\\spool\\PRTPROCS\\/i
mr-tz marked this conversation as resolved.
Show resolved Hide resolved
24 changes: 24 additions & 0 deletions nursery/persist-via-wmi-event-subscription.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
rule:
meta:
name: persist via WMI event subscription
namespace: persistence
authors:
- [email protected]
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Event Triggered Execution::Windows Management Instrumentation Event Subscription [T1546.003]
references:
- https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- https://cloud.google.com/blog/topics/threat-intelligence/dissecting-one-ofap/
features:
- or:
- and:
- api: ole32.CoCreateInstance
- com/class: WbemLocator # 4590F811-1D3A-11D0-891F-00AA004B2E24
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you think it's enough signal to just see the COM usage?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Malware also uses WMI for information gathering etc.. To reduce false positives we should remove it indeed. I don't see any way in Cape that we can use to reduce the false positives, as we can't match the communication with WMI.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed, for static analysis we could add more details, for dynamic I'd have to do more research myself to see what features are available

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

like above we could generalize the rule to detect WMI usage

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved this to the rule for WMI usage detection. Let me know what you think.

- and:
- match: host-interaction/process/create
- or:
- string: /wmic(|\.exe) /i
- string: /Register-WMIEvent /i