69 lines
1.8 KiB
YAML
69 lines
1.8 KiB
YAML
title: Persistence Mechanism via [TECHNIQUE]
|
|
id: GENERATE-NEW-UUID
|
|
status: experimental
|
|
description: Detects persistence establishment using [specific technique]
|
|
references:
|
|
- https://attack.mitre.org/tactics/TA0003/
|
|
author: Your Name
|
|
date: 2024/01/20
|
|
modified: 2024/01/20
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1053 # Replace with specific technique
|
|
logsource:
|
|
category: process_creation # or registry_event, file_event
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
# Define your detection criteria
|
|
condition: selection
|
|
falsepositives:
|
|
- Software installation
|
|
- System updates
|
|
- Legitimate scheduled tasks
|
|
level: medium
|
|
fields:
|
|
- User
|
|
- CommandLine
|
|
- Image
|
|
- TargetObject
|
|
|
|
# Common Persistence Techniques:
|
|
#
|
|
# T1053.005 - Scheduled Task
|
|
# logsource:
|
|
# category: process_creation
|
|
# detection:
|
|
# selection:
|
|
# Image|endswith: '\schtasks.exe'
|
|
# CommandLine|contains: '/create'
|
|
#
|
|
# T1547.001 - Registry Run Keys / Startup Folder
|
|
# logsource:
|
|
# category: registry_event
|
|
# detection:
|
|
# selection:
|
|
# TargetObject|contains:
|
|
# - '\Software\Microsoft\Windows\CurrentVersion\Run'
|
|
# - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
|
|
#
|
|
# T1543.003 - Windows Service
|
|
# detection:
|
|
# selection:
|
|
# Image|endswith: '\sc.exe'
|
|
# CommandLine|contains: 'create'
|
|
#
|
|
# T1547.004 - Winlogon Helper DLL
|
|
# logsource:
|
|
# category: registry_event
|
|
# detection:
|
|
# selection:
|
|
# TargetObject|contains:
|
|
# - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
|
|
# - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
|
|
#
|
|
# T1136.001 - Create Account (Local Account)
|
|
# detection:
|
|
# selection:
|
|
# EventID: 4720 # User account created
|