-
-
Notifications
You must be signed in to change notification settings - Fork 203
Expand file tree
/
Copy pathpersistence_script_interpreter_or_untrusted_process_persistence.yml
More file actions
42 lines (40 loc) · 1.98 KB
/
persistence_script_interpreter_or_untrusted_process_persistence.yml
File metadata and controls
42 lines (40 loc) · 1.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Script interpreter host or untrusted process persistence
id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea
version: 1.1.3
description: |
Identifies the script interpreter or untrusted process writing to commonly
abused run keys or the Startup folder locations.
labels:
tactic.id: TA0006
tactic.name: Persistence
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1547
technique.name: Boot or Logon Autostart Execution
technique.ref: https://attack.mitre.org/techniques/T1547/
subtechnique.id: T1547.001
subtechnique.name: Registry Run Keys / Startup Folder
subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/
condition: >
(((modify_registry) or (create_file)) and evt.pid != 4) and
(ps.name in script_interpreters or ps.parent.name in script_interpreters or ps.signature.trusted = false) and
(registry.path imatches registry_run_keys or file.path imatches startup_locations) and
not (ps.exe imatches
(
'?:\\Windows\\explorer.exe',
'?:\\Windows\\System32\\services.exe',
'?:\\Windows\\System32\\svchost.exe',
'?:\\Windows\\System32\\msiexec.exe',
'?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe',
'?:\\Program Files*\\Mozilla Firefox\\firefox.exe',
'?:\\Program Files*\\Opera\\*\\opera.exe',
'?:\\Program Files*\\Microsoft\\Edge\\Application\\msedge.exe',
'?:\\Program Files\\Microsoft\\Edge\\Application\\*\\msedge.exe',
'?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\*\\msedge.exe',
'?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe',
'?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe',
'?:\\Users\\*\\AppData\\Local\\Dropbox\\Dropbox.exe'
) or
(ps.signature.exists = true and ps.signature.subject imatches '*Microsoft*'))
action:
- name: kill
min-engine-version: 3.0.0