Adding new persistence artifacts

artifacts/definitions/Windows/Persistence/DSRMBackdoor.yaml

@@ -0,0 +1,39 @@
+name: Windows.Persistence.DSRMBackdoor
+author: Chris Jones - CPIRT | FabFaeb | Antonio Blescia (TheThMando) | bmcder02
+description: |
+    The password used to enter Directory Services Restore Mode (DSRM) is the 
+    password set to the local administrator of a Domain Controller during 
+    DCPROMO. If the DsrmAdminLogonBehavior property of the 
+    HKLM:\System\CurrentControlSet\Control\Lsa key is set to 2, this password 
+    can be used to access the Domain Controller with the local administrator account.
+reference:
+    - https://github.com/last-byte/PersistenceSniper/blob/main/PersistenceSniper/PersistenceSniper.psm1
+    - https://adsecurity.org/?p=1785
+type: CLIENT
+
+parameters:
+  - name: GlobPath
+    default: "HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\*"
+    description: The path to check. 
+  - name: Value
+    default: 2
+    type: int
+    description: The value to search for. 
+  - name: GlobName
+    default: "DsrmAdminLogonBehavior"
+    description: The name to check. 
+
+sources:
+  - precondition:
+      SELECT OS From info() where OS = 'windows'
+
+    query: |
+      SELECT
+        Mtime as LastModified,
+        OSPath as KeyPath,
+        Name as KeyName,
+        Data.type as KeyType,
+        Data.value as KeyValue    
+      FROM glob(globs=GlobPath, accessor="registry")
+      WHERE KeyName =~ GlobName
+        AND KeyValue = Value

artifacts/definitions/Windows/Persistence/DotNetStartupHooks.yaml

@@ -0,0 +1,47 @@
+name: Windows.Persistence.DotNetStartupHooks
+author: Chris Jones - CPIRT | FabFaeb | Antonio Blescia (TheThMando) | bmcder02
+description: |
+    The .NET DLLs listed in the DOTNET_STARTUP_HOOKS environment variable are 
+    loaded into .NET processes at runtime.
+reference:
+    - https://persistence-info.github.io/Data/dotnetstartuphooks.html
+    - https://github.com/last-byte/PersistenceSniper/blob/main/PersistenceSniper/PersistenceSniper.psm1
+type: CLIENT
+
+parameters:
+  - name: GlobPath
+    description: The paths to the check.
+    type: csv
+    default: |
+      EnvPath
+      "HKEY_USERS\\*\\Environment\\"
+      "HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\"
+
+  - name: EnvValue
+    description: The keyname to check
+    type: string
+    default: "DOTNET_STARTUP_HOOKS"
+
+sources:
+  - precondition:
+      SELECT OS From info() where OS = 'windows'
+
+    query: |
+        LET Keys = SELECT * FROM foreach(
+            row=GlobPath,
+            query={
+                SELECT  
+                    OSPath AS EnvKey,
+                    Data.value AS Value,
+                    Mtime AS LastModified
+                FROM glob(
+                    globs=EnvPath + EnvValue,
+                    accessor="registry")
+            })
+
+
+        SELECT * FROM foreach(
+            row=Keys,
+            query={
+                SELECT _value AS ModulePath, EnvKey, LastModified 
+                FROM items(item=split(string=Value, sep=";"))})

artifacts/definitions/Windows/Persistence/GhostTask.yaml

@@ -0,0 +1,44 @@
+name: Custom.Windows.Persistence.GhostTask
+author: Chris Jones - CPIRT | FabFaeb | Antonio Blescia (TheThMando) | bmcder02
+description: |
+    Malicious scheduled tasks can be created manually by properly modifying some 
+    registry keys. Tasks created in this way and without the SD property do not 
+    show up in the Task Scheduler utility or in the Event Log. 
+reference:
+    - https://github.com/netero1010/GhostTask
+    - https://github.com/last-byte/PersistenceSniper/blob/main/PersistenceSniper/PersistenceSniper.psm1
+type: CLIENT
+
+sources:
+  - precondition:
+      SELECT OS From info() where OS = 'windows'
+
+    query: |
+        LET Root = pathspec(
+            parse="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache",
+            path_type="registry")
+
+        -- Go up two levels and append the Id to find the tasks key
+        LET Tree = SELECT Key.OSPath AS TreePath,
+                          Id,
+                          Key.OSPath.Dirname.Dirname + ("Tasks", Id) AS TaskKey
+        FROM read_reg_key(root=Root + "Tree", globs="*")
+        WHERE not SD
+
+        -- Read each tasks key and show all the values
+        SELECT * FROM foreach(
+          row=Tree,
+          query={
+            SELECT TreePath,
+                   Id,
+                   Path,
+                   format(format="%02x", args=str(str=Hash)) AS Hash,
+                   Schema,
+                   Version,
+                   Description,
+                   URI,
+                   Triggers,
+                   Actions,
+                   DynamicInfo
+            FROM read_reg_key(root=TaskKey, globs="*")
+          })

artifacts/definitions/Windows/Persistence/MicrosoftOfficeAIHijacking.yaml

@@ -0,0 +1,27 @@
+name: Windows.Persistence.MicrosoftOfficeAIHijacking
+author: Chris Jones - CPIRT | FabFaeb | Antonio Blescia (TheThMando) | bmcder02
+description: |
+    Office executables like WINWORD.exe look for AI.exe under the 
+    %ProgramFiles%\Microsoft Office\root\<Office Version> and 
+    %ProgramFiles(x86)%\Microsoft Office\root\<Office Version> directories. 
+    An attacker may place a malicious AI.exe there in order to have persistence 
+    whenever a user interacts with the Microsoft Office Suite.
+reference:
+    - https://twitter.com/laughing_mantis/status/1645268114966470662
+    - https://github.com/last-byte/PersistenceSniper/blob/main/PersistenceSniper/PersistenceSniper.psm1
+type: CLIENT
+
+parameters:
+  - name: GlobPath
+    description: The paths to the check.
+    default: "C:\\Program File*\\Microsoft Office\\root\\Office*\\ai.exe"
+
+sources:
+  - precondition:
+      SELECT OS From info() where OS = 'windows'
+
+    query: |
+        SELECT 
+          Name AS FileName, OSPath as FilePath, Mtime, Atime, Ctime, Btime,
+          Size, hash(path=OSPath) AS Hash, authenticode(filename=OSPath) AS authenticode
+        FROM glob(globs=GlobPath)