Add 10 file system based persistence techniques

nursery/persist-via-accessibility-tools-backdoor.yml

@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: persist via accessibility tools backdoor
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Accessibility Features [T1546.008]
+    references:
+      - https://pentestlab.blog/2019/11/13/persistence-accessibility-features/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: host-interaction/file-system/write
+      - or:
+        - string: /windows\\system32\\osk.exe/i
+        - string: /windows\\system32\\Magnify.exe/i
+        - string: /windows\\system32\\narator.exe/i
+        - string: /windows\\system32\\displayswitch.exe/i
+        - string: /windows\\system32\\atbroker.exe/i
+        - string: /windows\\system32\\sethc.exe/i
+        - string: /windows\\system32\\utilman.exe/i

nursery/persist-via-browser-extension.yml

@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: persist via browser extension
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Browser Extensions [T1176]
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: host-interaction/file-system/write
+      - or:
+        - string: /AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\/i
+        - string: /AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\/i
+        - and:
+          - string: /AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\/i
+          - string: /.default\\extensions\\/i

nursery/persist-via-errorhandler-script.yml

@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via ErrorHandler script
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: host-interaction/file-system/write
+      - string: /\\Windows\\Setup\\Scripts\\ErrorHandler.cmd/i

nursery/persist-via-get-variable-hijack.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: persist via Get-Variable hijack
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow [T1574]
+    references:
+      - https://www.threatdown.com/blog/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
+  features:
+    - and:
+      - match: persist via host software binary compromise
+      - string: /Microsoft\\WindowsApps\\Get-Variable.exe/i

nursery/persist-via-host-software-binary-compromise.yml

@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: persist via host software binary compromise
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Compromise Client Software Binary [T1554]
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: host-interaction/file-system/write
+      - or:
+        - string: /Windows/i
+        - string: /Program Files/i
+      - string: /.exe$/i

nursery/persist-via-iphlpapi-dll-hijack.yml

@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: persist via iphlpapi DLL hijack
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow [T1574]
+    references:
+      - https://cyble.com/blog/targeted-attacks-being-carried-out-via-dll-sideloading/
+  features:
+    - and:
+      - string: /\\Appdata\\Local\\Microsoft\\.*\\iphlpapi.dll/i

nursery/persist-via-lnk-shortcut.yml

@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via lnk shortcut
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009]
+    references:
+      - https://www.ired.team/offensive-security/persistence/modifying-.lnk-shortcuts
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: host-interaction/file-system/write
+      - string: /\.lnk$/i

nursery/persist-via-powershell-profile.yml

@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: persist via PowerShell profile
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::PowerShell Profile [T1546.013]
+    references:
+      - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: host-interaction/file-system/write
+      - or:
+        - string: /Profile.ps1/i
+        - string: /Microsoft.PowerShell_profile.ps1/i

nursery/persist-via-startup-folder.yml

@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: persist via startup folder
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001]
+    references:
+      - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1547-boot-or-logon-autostart-execution/registry-run-keys-startup-folder
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: host-interaction/file-system/write
+      - or:
+        - string: /Microsoft\\Windows\\Start Menu\\Programs\\Startup\\/i
+        - string: /Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\/i
+        - string: /WINNT\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\/i

nursery/persist-via-windows-terminal-profile.yml

@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: persist via Windows Terminal Profile
+    namespace: persistence/file-system
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://nasbench.medium.com/persistence-using-windows-terminal-profiles-5035d3fc86fe
+  features:
+    - and:
+      - or:
+        - match: copy file
+        - match: move file
+        - match: host-interaction/file-system/write
+      - or:
+        - string: /Local\\Packages\\Microsoft.WindowsTerminal_.*\\LocalState\\settings.json/i