Add 4 miscellaneous persistence techniques.

nursery/persist-via-application-shimming.yml

@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: persist via application shimming
+    namespace: persistence/file-system-and-registry
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Application Shimming [T1546.011]
+    references:
+      - https://cloud.google.com/blog/topics/threat-intelligence/fin7-shim-databases-persistence/
+  features:
+    - or:
+      - and:
+        - match: set registry value
+        - string: /Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\/i
+        - string: /DatabasePath/i
+      - and:
+        - or:
+          - match: copy file
+          - match: move file
+          - match: host-interaction/file-system/write
+        - string: /.sdb/i

nursery/persist-via-bits-job.yml

@@ -0,0 +1,29 @@
+rule:
+  meta:
+    name: persist via BITS job
+    namespace: persistence/custom-db
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::BITS Jobs [T1197]
+    references:
+      - https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/
+  features:
+    - or:
+      - and:
+        - api: ole32.CoCreateInstance
+        - string: "4991d34b-80a1-4291-83b6-3328366b9097" # BITS
+      - and:
+        - match: host-interaction/process/create
+        - or:
+          - and:
+            - string: /bitsadmin(|\.exe) /i
+            - string: /\/SetNotifyCmdLine/i
+          - and:
+            - or:
+              - string: /Set-BitsTransfer /i
+              - string: /Start-BitsTransfer /i
+            - string: / -NotifyCmdLine /i

nursery/persist-via-print-processors-registry-key.yml

@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: persist via Print Processors registry key
+    namespace: persistence/file-system-and-registry
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Print Processors [T1547.012]
+    references:
+      - https://stmxcsr.com/persistence/print-processor.html
+  features:
+    - or:
+      - and:
+        - match: set registry value
+        - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Environments\\.*\\Print Processors\\/i
+        - string: /^Driver$/i
+      - and:
+        - or:
+          - match: copy file
+          - match: move file
+          - match: host-interaction/file-system/write
+        - string: /\\spool\\PRTPROCS\\/i

nursery/persist-via-wmi-event-subscription.yml

@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: persist via WMI event subscription
+    namespace: persistence/custom-db
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Windows Management Instrumentation Event Subscription [T1546.003]
+    references:
+      - https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
+      - https://cloud.google.com/blog/topics/threat-intelligence/dissecting-one-ofap/
+  features:
+    - or:
+      - and:
+        - api: ole32.CoCreateInstance
+        - string: "4590F811-1D3A-11D0-891F-00AA004B2E24" # IWbemLocator
+      - and:
+        - match: host-interaction/process/create
+        - or:
+          - string: /wmic(|\.exe) /i
+          - string: /Register-WMIEvent /i