Detectionmediumtest
Potential Persistence Via Event Viewer Events.asp
Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Feb 17Updated Sun Mar 05a1e11042-a74a-46e6-b07c-c4ce8ecc239bwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic5 selectors
detection:
selection:
# Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs
# Also "MicrosoftRedirectionProgramCommandLineParameters" key
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
- '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL'
filter_default_redirect_program:
Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
filter_default_redirect_program_cli:
Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters'
Details: '-url hcp://services/centers/support?topic=%%s'
filter_url:
Details: 'http://go.microsoft.com/fwlink/events.asp'
filter_cleaner:
Details: '(Empty)'
condition: selection and not 1 of filter_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Techniques
Rule Metadata
Rule ID
a1e11042-a74a-46e6-b07c-c4ce8ecc239b
Status
test
Level
medium
Type
Detection
Created
Fri Feb 17
Modified
Sun Mar 05
Path
rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112