title: Persistence Mechanism via [TECHNIQUE]
id: GENERATE-NEW-UUID
status: experimental
description: Detects persistence establishment using [specific technique]
references:
    - https://attack.mitre.org/tactics/TA0003/
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
    - attack.persistence
    - attack.t1053  # Replace with specific technique
logsource:
    category: process_creation  # or registry_event, file_event
    product: windows
detection:
    selection:
        # Define your detection criteria
    condition: selection
falsepositives:
    - Software installation
    - System updates
    - Legitimate scheduled tasks
level: medium
fields:
    - User
    - CommandLine
    - Image
    - TargetObject

# Common Persistence Techniques:
#
# T1053.005 - Scheduled Task
# logsource:
#     category: process_creation
# detection:
#     selection:
#         Image|endswith: '\schtasks.exe'
#         CommandLine|contains: '/create'
#
# T1547.001 - Registry Run Keys / Startup Folder
# logsource:
#     category: registry_event
# detection:
#     selection:
#         TargetObject|contains:
#             - '\Software\Microsoft\Windows\CurrentVersion\Run'
#             - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
#
# T1543.003 - Windows Service
# detection:
#     selection:
#         Image|endswith: '\sc.exe'
#         CommandLine|contains: 'create'
#
# T1547.004 - Winlogon Helper DLL
# logsource:
#     category: registry_event
# detection:
#     selection:
#         TargetObject|contains:
#             - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
#             - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
#
# T1136.001 - Create Account (Local Account)
# detection:
#     selection:
#         EventID: 4720  # User account created