-
Notifications
You must be signed in to change notification settings - Fork 167
/
Copy pathpersist-via-run-registry-key.yml
36 lines (36 loc) · 1.23 KB
/
persist-via-run-registry-key.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
rule:
meta:
name: persist via Run registry key
namespace: persistence/registry/run
authors:
- moritz.raabe@mandiant.com
scopes:
static: function
dynamic: call
att&ck:
- Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001]
mbc:
- Persistence::Registry Run Keys / Startup Folder [F0012]
examples:
- Practical Malware Analysis Lab 06-03.exe_:0x401130
- b87e9dd18a5533a09d3e48a7a1efbcf6:0x1400070E0
- 9ff8e68343cc29c1036650fc153e69f7:0x470624
features:
- and:
- or:
- match: set registry value
- number: 0x80000001 = HKEY_CURRENT_USER
- number: 0x80000002 = HKEY_LOCAL_MACHINE
- or:
- and:
- string: /Software\\Microsoft\\Windows\\CurrentVersion/i
- or:
- string: /Run/i
- string: /Explorer\\Shell Folders/i
- string: /User Shell Folders/i
- string: /RunServices/i
- string: /Policies\\Explorer\\Run/i
- and:
- string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows/i
- string: /Load/i
- string: /System\\CurrentControlSet\\Control\\Session Manager\\BootExecute/i