Sigma Rules
888 rules found for "persistence"
Potential Persistence Via Scrobj.dll COM Hijacking
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
Potential Persistence Via Shim Database Modification
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
Potential Persistence Via Shim Database In Uncommon Location
Detects the installation of a new shim database where the file is located in a non-default location
Potential Persistence Via TypedPaths
Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
Potential Persistence Via Excel Add-in - Registry
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
Suspicious PowerShell In Registry Run Keys
Detects potential PowerShell commands or code within registry run keys
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
ETW Logging Disabled For rpcrt4.dll
Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
Potential SentinelOne Shell Context Menu Scan Command Tampering
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
ServiceDll Hijack
Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
ETW Logging Disabled For SCM
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
Registry Explorer Policy Modification
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
Persistence Via New SIP Provider
Detects when an attacker register a new SIP provider for persistence and defense evasion
Activate Suppression of Windows Security Center Notifications
Detect set Notification_Suppress to 1 to disable the Windows security center notification
Suspicious Environment Variable Has Been Registered
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
Registry Persistence via Explorer Run Key
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
New RUN Key Pointing to Suspicious Folder
Detects suspicious new RUN key element pointing to an executable in a suspicious folder
Suspicious Shell Open Command Registry Modification
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files, and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
Modify User Shell Folders Startup Value
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
Enable LM Hash Storage
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
Scheduled TaskCache Change by Uncommon Program
Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
Potential Registry Persistence Attempt Via Windows Telemetry
Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
RDP Sensitive Settings Changed to Zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.
New TimeProviders Registered With Uncommon DLL Name
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
COM Hijacking via TreatAs
Detect modification of TreatAs key to enable "rundll32.exe -sta" command
VBScript Payload Stored in Registry
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
Wdigest Enable UseLogonCredential
Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
Winget Admin Settings Modification
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
Enable Local Manifest Installation With Winget
Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
Winlogon AllowMultipleTSSessions Enable
Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
Winlogon Notify Key Logon Persistence
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
WMI Event Subscription
Detects creation of WMI event subscription persistence method
Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
CosmicDuke Service Installation
Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
Potential PlugX Activity
Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
StoneDrill Service Install
This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
Turla Service Install
This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
Turla PNG Dropper Service
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server
APT27 - Emissary Panda Activity
Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
OceanLotus Registry Activity
Detects registry keys created in OceanLotus (also known as APT32) attacks