From a65bc9ef4b64853319d98cf34b5b8fe1bfbfa634 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:42:40 +0100 Subject: [PATCH] Add 10 file system based persistence techniques --- ...rsist-via-accessibility-tools-backdoor.yml | 27 +++++++++++++++++++ nursery/persist-via-browser-extension.yml | 23 ++++++++++++++++ nursery/persist-via-errorhandler-script.yml | 20 ++++++++++++++ nursery/persist-via-get-variable-hijack.yml | 17 ++++++++++++ ...st-via-host-software-binary-compromise.yml | 21 +++++++++++++++ nursery/persist-via-iphlpapi-dll-hijack.yml | 16 +++++++++++ nursery/persist-via-lnk-shortcut.yml | 20 ++++++++++++++ nursery/persist-via-powershell-profile.yml | 22 +++++++++++++++ nursery/persist-via-startup-folder.yml | 23 ++++++++++++++++ .../persist-via-windows-terminal-profile.yml | 21 +++++++++++++++ 10 files changed, 210 insertions(+) create mode 100644 nursery/persist-via-accessibility-tools-backdoor.yml create mode 100644 nursery/persist-via-browser-extension.yml create mode 100644 nursery/persist-via-errorhandler-script.yml create mode 100644 nursery/persist-via-get-variable-hijack.yml create mode 100644 nursery/persist-via-host-software-binary-compromise.yml create mode 100644 nursery/persist-via-iphlpapi-dll-hijack.yml create mode 100644 nursery/persist-via-lnk-shortcut.yml create mode 100644 nursery/persist-via-powershell-profile.yml create mode 100644 nursery/persist-via-startup-folder.yml create mode 100644 nursery/persist-via-windows-terminal-profile.yml diff --git a/nursery/persist-via-accessibility-tools-backdoor.yml b/nursery/persist-via-accessibility-tools-backdoor.yml new file mode 100644 index 00000000..7a969d70 --- /dev/null +++ b/nursery/persist-via-accessibility-tools-backdoor.yml @@ -0,0 +1,27 @@ +rule: + meta: + name: persist via accessibility tools backdoor + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Accessibility Features [T1546.008] + references: + - https://pentestlab.blog/2019/11/13/persistence-accessibility-features/ + features: + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - or: + - string: /windows\\system32\\osk.exe/i + - string: /windows\\system32\\Magnify.exe/i + - string: /windows\\system32\\narator.exe/i + - string: /windows\\system32\\displayswitch.exe/i + - string: /windows\\system32\\atbroker.exe/i + - string: /windows\\system32\\sethc.exe/i + - string: /windows\\system32\\utilman.exe/i diff --git a/nursery/persist-via-browser-extension.yml b/nursery/persist-via-browser-extension.yml new file mode 100644 index 00000000..b821785e --- /dev/null +++ b/nursery/persist-via-browser-extension.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: persist via browser extension + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Browser Extensions [T1176] + features: + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - or: + - string: /AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\/i + - string: /AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\/i + - and: + - string: /AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\/i + - string: /.default\\extensions\\/i diff --git a/nursery/persist-via-errorhandler-script.yml b/nursery/persist-via-errorhandler-script.yml new file mode 100644 index 00000000..b2fcb95f --- /dev/null +++ b/nursery/persist-via-errorhandler-script.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via ErrorHandler script + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ + features: + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - string: /\\Windows\\Setup\\Scripts\\ErrorHandler.cmd/i diff --git a/nursery/persist-via-get-variable-hijack.yml b/nursery/persist-via-get-variable-hijack.yml new file mode 100644 index 00000000..85563226 --- /dev/null +++ b/nursery/persist-via-get-variable-hijack.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via Get-Variable hijack + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow [T1574] + references: + - https://www.threatdown.com/blog/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ + features: + - and: + - match: persist via host software binary compromise + - string: /Microsoft\\WindowsApps\\Get-Variable.exe/i diff --git a/nursery/persist-via-host-software-binary-compromise.yml b/nursery/persist-via-host-software-binary-compromise.yml new file mode 100644 index 00000000..a3d8a169 --- /dev/null +++ b/nursery/persist-via-host-software-binary-compromise.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: persist via host software binary compromise + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Compromise Client Software Binary [T1554] + features: + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - or: + - string: /Windows/i + - string: /Program Files/i + - string: /.exe$/i diff --git a/nursery/persist-via-iphlpapi-dll-hijack.yml b/nursery/persist-via-iphlpapi-dll-hijack.yml new file mode 100644 index 00000000..d4d30ca1 --- /dev/null +++ b/nursery/persist-via-iphlpapi-dll-hijack.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: persist via iphlpapi DLL hijack + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow [T1574] + references: + - https://cyble.com/blog/targeted-attacks-being-carried-out-via-dll-sideloading/ + features: + - and: + - string: /\\Appdata\\Local\\Microsoft\\.*\\iphlpapi.dll/i diff --git a/nursery/persist-via-lnk-shortcut.yml b/nursery/persist-via-lnk-shortcut.yml new file mode 100644 index 00000000..6c542cd7 --- /dev/null +++ b/nursery/persist-via-lnk-shortcut.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via lnk shortcut + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009] + references: + - https://www.ired.team/offensive-security/persistence/modifying-.lnk-shortcuts + features: + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - string: /\.lnk$/i diff --git a/nursery/persist-via-powershell-profile.yml b/nursery/persist-via-powershell-profile.yml new file mode 100644 index 00000000..4e9e6d30 --- /dev/null +++ b/nursery/persist-via-powershell-profile.yml @@ -0,0 +1,22 @@ +rule: + meta: + name: persist via PowerShell profile + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::PowerShell Profile [T1546.013] + references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles + features: + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - or: + - string: /Profile.ps1/i + - string: /Microsoft.PowerShell_profile.ps1/i diff --git a/nursery/persist-via-startup-folder.yml b/nursery/persist-via-startup-folder.yml new file mode 100644 index 00000000..0dce476e --- /dev/null +++ b/nursery/persist-via-startup-folder.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: persist via startup folder + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] + references: + - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1547-boot-or-logon-autostart-execution/registry-run-keys-startup-folder + features: + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - or: + - string: /Microsoft\\Windows\\Start Menu\\Programs\\Startup\\/i + - string: /Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\/i + - string: /WINNT\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\/i diff --git a/nursery/persist-via-windows-terminal-profile.yml b/nursery/persist-via-windows-terminal-profile.yml new file mode 100644 index 00000000..8764552f --- /dev/null +++ b/nursery/persist-via-windows-terminal-profile.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: persist via Windows Terminal Profile + namespace: persistence/file-system + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://nasbench.medium.com/persistence-using-windows-terminal-profiles-5035d3fc86fe + features: + - and: + - or: + - match: copy file + - match: move file + - match: host-interaction/file-system/write + - or: + - string: /Local\\Packages\\Microsoft.WindowsTerminal_.*\\LocalState\\settings.json/i