Detectionhightest
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Karneades, Jonhnathan Ribeiro, Florian Roth (Nextron Systems)Created Wed Apr 11Updated Mon Jun 0536803969-5421-41ec-b92f-8500f79c23b0windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
selection_global_flag:
TargetObject|contains|all:
- '\Microsoft\Windows NT\CurrentVersion\'
- '\Image File Execution Options\'
- '\GlobalFlag'
selection_silent_process:
TargetObject|contains|all:
- '\Microsoft\Windows NT\CurrentVersion\'
- '\SilentProcessExit\'
TargetObject|contains:
- '\ReportingMode'
- '\MonitorProcess'
condition: 1 of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Sub-techniques
CAR Analytics
2013-01-002 · CAR 2013-01-002
Related Rules
Similar
Rule not foundc81fe886-cac0-4913-a511-2822d72ff505
Rule Metadata
Rule ID
36803969-5421-41ec-b92f-8500f79c23b0
Status
test
Level
high
Type
Detection
Created
Wed Apr 11
Modified
Mon Jun 05
Path
rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1546.012car.2013-01-002