Detectionmediumtest
Potential Persistence Via Custom Protocol Handler
Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon May 30Updated Fri May 12fdbf0b9d-0182-4c43-893b-a1eaab92d085windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic3 selectors
detection:
selection:
TargetObject|startswith: 'HKCR\'
Details|startswith: 'URL:'
filter_main_ms_trusted:
Details|startswith: 'URL:ms-' # Microsoft Protocols usually start with "ms-"
filter_main_generic_locations:
Image|startswith: # Add more folders to avoid FP
- 'C:\Program Files (x86)'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
# Uncomment This section to add specific Protocol Handler names that are know
# filter_specific:
# Details: 'URL:'
condition: selection and not 1 of filter_main_*False Positives
Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.
References
MITRE ATT&CK
Techniques
Rule Metadata
Rule ID
fdbf0b9d-0182-4c43-893b-a1eaab92d085
Status
test
Level
medium
Type
Detection
Created
Mon May 30
Modified
Fri May 12
Path
rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112