forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathwindows_persistence.yml
More file actions
74 lines (74 loc) · 2.97 KB
/
windows_persistence.yml
File metadata and controls
74 lines (74 loc) · 2.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
category:
- Adversary Tactics
channel: ESCU
creation_date: '2017-04-19'
description: Monitor for activities and techniques associated with maintaining persistence
on a Windows system--a sign that an adversary may have compromised your environment.
detections:
- detection_id: f5f6af30-7aa7-4295-bfe9-07fe87c01bbb
name: Registry Keys for Creating SHIM Databases
type: splunk
- detection_id: 404620de-46d8-48b6-90cc-8a8d7b0876a3
name: Shim Database Installation With Suspicious Parameters
type: splunk
- detection_id: 6e4c4588-ba2f-42fa-97e6-9f6f548eaa33
name: Shim Database File Creation
type: splunk
- detection_id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
name: Registry Keys Used For Persistence
type: splunk
- detection_id: 1297fb80-f42a-4b4a-9c8a-88c066437cf6
name: Schtasks used for forcing a reboot
type: splunk
- detection_id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d
name: Sc.exe Manipulating Windows Services
type: splunk
- detection_id: 8470d755-0c13-45b3-bd63-387a373c10cf
name: Reg.exe Manipulating Windows Services Registry Keys
type: splunk
- detection_id: c77162d3-f93c-45cc-80c8-22f6b5264g9f
name: Hiding Files And Directories With Attrib.exe
type: splunk
- detection_id: c77162d3-f93c-45cc-80c8-22f6b5264x9f
name: Reg.exe used to hide files/directories via registry keys
type: splunk
- detection_id: c77162d3-f93c-45cc-80c8-22f6v5264g9f
name: Detect Path Interception By Creation Of program.exe
type: splunk
- detection_id: f5f6af30-7ba7-4295-bfe9-07de87c01bbc
name: Monitor Registry Keys for Print Monitors
type: splunk
- detection_id: c9f4b923-f8af-4155-b697-1354f5dcbc5e
name: Remote Registry Key modifications
type: splunk
id: 30874d4f-20a1-488f-85ec-5d52ef74e3f9
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2018-05-31'
name: Windows Persistence Techniques
narrative: Maintaining persistence is one of the first steps taken by attackers after
the initial compromise. Attackers leverage various custom and built-in tools to
ensure survivability and persistent access within a compromised enterprise. This
Analytic Story provides searches to help you identify various behaviors used by
attackers to maintain persistent access to a Windows environment.
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
references:
- http://www.fuzzysecurity.com/tutorials/19.html
- https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html
- http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://www.youtube.com/watch?v=dq2Hv7J9fvk
spec_version: 2
usecase: Advanced Threat Detection
version: '2.0'