From 5996f07e93e76dbd51d34d027f98da2ef349c1a1 Mon Sep 17 00:00:00 2001 From: bmcder02 Date: Fri, 2 Feb 2024 14:43:08 +1000 Subject: [PATCH] Adding new Persistence artifacts --- .../Windows/Persistence/DSRMBackdoor.yaml | 39 +++++++++++++++ .../Persistence/DotNetStartupHooks.yaml | 47 +++++++++++++++++++ .../Windows/Persistence/GhostTask.yaml | 44 +++++++++++++++++ .../MicrosoftOfficeAIHijacking.yaml | 27 +++++++++++ ...lentProcessExit => SilentProcessExit.yaml} | 0 5 files changed, 157 insertions(+) create mode 100644 artifacts/definitions/Windows/Persistence/DSRMBackdoor.yaml create mode 100644 artifacts/definitions/Windows/Persistence/DotNetStartupHooks.yaml create mode 100644 artifacts/definitions/Windows/Persistence/GhostTask.yaml create mode 100644 artifacts/definitions/Windows/Persistence/MicrosoftOfficeAIHijacking.yaml rename artifacts/definitions/Windows/Persistence/{SilentProcessExit => SilentProcessExit.yaml} (100%) diff --git a/artifacts/definitions/Windows/Persistence/DSRMBackdoor.yaml b/artifacts/definitions/Windows/Persistence/DSRMBackdoor.yaml new file mode 100644 index 00000000000..847c40ae4e4 --- /dev/null +++ b/artifacts/definitions/Windows/Persistence/DSRMBackdoor.yaml @@ -0,0 +1,39 @@ +name: Windows.Persistence.DSRMBackdoor +author: Chris Jones - CPIRT | FabFaeb | Antonio Blescia (TheThMando) | bmcder02 +description: | + The password used to enter Directory Services Restore Mode (DSRM) is the + password set to the local administrator of a Domain Controller during + DCPROMO. If the DsrmAdminLogonBehavior property of the + HKLM:\System\CurrentControlSet\Control\Lsa key is set to 2, this password + can be used to access the Domain Controller with the local administrator account. +reference: + - https://github.com/last-byte/PersistenceSniper/blob/main/PersistenceSniper/PersistenceSniper.psm1 + - https://adsecurity.org/?p=1785 +type: CLIENT + +parameters: + - name: GlobPath + default: "HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\*" + description: The path to check. + - name: Value + default: 2 + type: int + description: The value to search for. + - name: GlobName + default: "DsrmAdminLogonBehavior" + description: The name to check. + +sources: + - precondition: + SELECT OS From info() where OS = 'windows' + + query: | + SELECT + Mtime as LastModified, + OSPath as KeyPath, + Name as KeyName, + Data.type as KeyType, + Data.value as KeyValue + FROM glob(globs=GlobPath, accessor="registry") + WHERE KeyName =~ GlobName + AND KeyValue = Value diff --git a/artifacts/definitions/Windows/Persistence/DotNetStartupHooks.yaml b/artifacts/definitions/Windows/Persistence/DotNetStartupHooks.yaml new file mode 100644 index 00000000000..b204343a5a7 --- /dev/null +++ b/artifacts/definitions/Windows/Persistence/DotNetStartupHooks.yaml @@ -0,0 +1,47 @@ +name: Windows.Persistence.DotNetStartupHooks +author: Chris Jones - CPIRT | FabFaeb | Antonio Blescia (TheThMando) | bmcder02 +description: | + The .NET DLLs listed in the DOTNET_STARTUP_HOOKS environment variable are + loaded into .NET processes at runtime. +reference: + - https://persistence-info.github.io/Data/dotnetstartuphooks.html + - https://github.com/last-byte/PersistenceSniper/blob/main/PersistenceSniper/PersistenceSniper.psm1 +type: CLIENT + +parameters: + - name: GlobPath + description: The paths to the check. + type: csv + default: | + EnvPath + "HKEY_USERS\\*\\Environment\\" + "HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\" + + - name: EnvValue + description: The keyname to check + type: string + default: "DOTNET_STARTUP_HOOKS" + +sources: + - precondition: + SELECT OS From info() where OS = 'windows' + + query: | + LET Keys = SELECT * FROM foreach( + row=GlobPath, + query={ + SELECT + OSPath AS EnvKey, + Data.value AS Value, + Mtime AS LastModified + FROM glob( + globs=EnvPath + EnvValue, + accessor="registry") + }) + + + SELECT * FROM foreach( + row=Keys, + query={ + SELECT _value AS ModulePath, EnvKey, LastModified + FROM items(item=split(string=Value, sep=";"))}) diff --git a/artifacts/definitions/Windows/Persistence/GhostTask.yaml b/artifacts/definitions/Windows/Persistence/GhostTask.yaml new file mode 100644 index 00000000000..e09164cd400 --- /dev/null +++ b/artifacts/definitions/Windows/Persistence/GhostTask.yaml @@ -0,0 +1,44 @@ +name: Custom.Windows.Persistence.GhostTask +author: Chris Jones - CPIRT | FabFaeb | Antonio Blescia (TheThMando) | bmcder02 +description: | + Malicious scheduled tasks can be created manually by properly modifying some + registry keys. Tasks created in this way and without the SD property do not + show up in the Task Scheduler utility or in the Event Log. +reference: + - https://github.com/netero1010/GhostTask + - https://github.com/last-byte/PersistenceSniper/blob/main/PersistenceSniper/PersistenceSniper.psm1 +type: CLIENT + +sources: + - precondition: + SELECT OS From info() where OS = 'windows' + + query: | + LET Root = pathspec( + parse="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache", + path_type="registry") + + -- Go up two levels and append the Id to find the tasks key + LET Tree = SELECT Key.OSPath AS TreePath, + Id, + Key.OSPath.Dirname.Dirname + ("Tasks", Id) AS TaskKey + FROM read_reg_key(root=Root + "Tree", globs="*") + WHERE not SD + + -- Read each tasks key and show all the values + SELECT * FROM foreach( + row=Tree, + query={ + SELECT TreePath, + Id, + Path, + format(format="%02x", args=str(str=Hash)) AS Hash, + Schema, + Version, + Description, + URI, + Triggers, + Actions, + DynamicInfo + FROM read_reg_key(root=TaskKey, globs="*") + }) \ No newline at end of file diff --git a/artifacts/definitions/Windows/Persistence/MicrosoftOfficeAIHijacking.yaml b/artifacts/definitions/Windows/Persistence/MicrosoftOfficeAIHijacking.yaml new file mode 100644 index 00000000000..ed4f3008187 --- /dev/null +++ b/artifacts/definitions/Windows/Persistence/MicrosoftOfficeAIHijacking.yaml @@ -0,0 +1,27 @@ +name: Windows.Persistence.MicrosoftOfficeAIHijacking +author: Chris Jones - CPIRT | FabFaeb | Antonio Blescia (TheThMando) | bmcder02 +description: | + Office executables like WINWORD.exe look for AI.exe under the + %ProgramFiles%\Microsoft Office\root\ and + %ProgramFiles(x86)%\Microsoft Office\root\ directories. + An attacker may place a malicious AI.exe there in order to have persistence + whenever a user interacts with the Microsoft Office Suite. +reference: + - https://twitter.com/laughing_mantis/status/1645268114966470662 + - https://github.com/last-byte/PersistenceSniper/blob/main/PersistenceSniper/PersistenceSniper.psm1 +type: CLIENT + +parameters: + - name: GlobPath + description: The paths to the check. + default: "C:\\Program File*\\Microsoft Office\\root\\Office*\\ai.exe" + +sources: + - precondition: + SELECT OS From info() where OS = 'windows' + + query: | + SELECT + Name AS FileName, OSPath as FilePath, Mtime, Atime, Ctime, Btime, + Size, hash(path=OSPath) AS Hash, authenticode(filename=OSPath) AS authenticode + FROM glob(globs=GlobPath) diff --git a/artifacts/definitions/Windows/Persistence/SilentProcessExit b/artifacts/definitions/Windows/Persistence/SilentProcessExit.yaml similarity index 100% rename from artifacts/definitions/Windows/Persistence/SilentProcessExit rename to artifacts/definitions/Windows/Persistence/SilentProcessExit.yaml