Sigma Rules
889 rules found for "persistence"
Non-privileged Usage of Reg or Powershell
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Suspicious Process Execution From Fake Recycle.Bin Folder
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Registry Modification of MS-settings Protocol Handler
Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
Suspicious New Service Creation
Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
Sysinternals PsService Execution
Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
Sysinternals PsSuspend Execution
Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
User Shell Folders Registry Modification via CommandLine
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
Uncommon Userinit Child Process
Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
Registry Modification Attempt Via VBScript
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
Verclsid.exe Runs COM Object
Detects when verclsid.exe is used to run COM object via GUID
Suspicious VBoxDrvInst.exe Parameters
Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
VMToolsd Suspicious Child Process
Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Webshell Hacking Activity Patterns
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Webshell Tool Reconnaissance Activity
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
Suspicious WindowsTerminal Child Processes
Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
WMI Persistence - Script Event Consumer
Detects WMI script event consumers
New ActiveScriptEventConsumer Created Via Wmic.EXE
Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
UEFI Persistence Via Wpbbin - ProcessCreation
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Xwizard.EXE Execution From Non-Default Location
Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
Potential Persistence Via Disk Cleanup Handler - Registry
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
Removal of Potential COM Hijacking Registry Keys
Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
Disable Security Events Logging Adding Reg Key MiniNt
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Wdigest CredGuard Registry Modification
Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
Potential Qakbot Registry Activity
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
Path To Screensaver Binary Modified
Detects value modification of registry key containing path to binary used as screensaver.
Narrator's Feedback-Hub Persistence
Detects abusing Windows 10 Narrator's Feedback-Hub
NetNTLM Downgrade Attack - Registry
Detects NetNTLM downgrade attack
New DLL Added to AppCertDlls Registry Key
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
New DLL Added to AppInit_DLLs Registry Key
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
Office Application Startup - Office Test
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
Registry Persistence Mechanisms in Recycle Bin
Detects persistence registry keys for Recycle Bin
RedMimicry Winnti Playbook Registry Manipulation
Detects actions caused by the RedMimicry Winnti playbook