Detectionmediumtest

Potential Persistence Via Event Viewer Events.asp

Detects potential registry persistence technique using the Event Viewer "Events.asp" technique

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Feb 17Updated Sun Mar 05a1e11042-a74a-46e6-b07c-c4ce8ecc239bwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic5 selectors
detection:
    selection:
        # Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs
        # Also "MicrosoftRedirectionProgramCommandLineParameters" key
        TargetObject|contains:
            - '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
            - '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL'
    filter_default_redirect_program:
        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
        Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
    filter_default_redirect_program_cli:
        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters'
        Details: '-url hcp://services/centers/support?topic=%%s'
    filter_url:
        Details: 'http://go.microsoft.com/fwlink/events.asp'
    filter_cleaner:
        Details: '(Empty)'
    condition: selection and not 1 of filter_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

Rule Metadata
Rule ID
a1e11042-a74a-46e6-b07c-c4ce8ecc239b
Status
test
Level
medium
Type
Detection
Created
Fri Feb 17
Modified
Sun Mar 05
Path
rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112
View on GitHub