From 48621e0210a0e5081233275e6009c65a41318423 Mon Sep 17 00:00:00 2001
From: jorik <47347649+jorik-utwente@users.noreply.github.com>
Date: Tue, 5 Nov 2024 14:00:03 +0100
Subject: [PATCH] Add 4 miscellaneous persistence techniques.

---
 nursery/persist-via-application-shimming.yml  | 25 ++++++++++++++++
 nursery/persist-via-bits-job.yml              | 29 +++++++++++++++++++
 ...sist-via-print-processors-registry-key.yml | 25 ++++++++++++++++
 .../persist-via-wmi-event-subscription.yml    | 24 +++++++++++++++
 4 files changed, 103 insertions(+)
 create mode 100644 nursery/persist-via-application-shimming.yml
 create mode 100644 nursery/persist-via-bits-job.yml
 create mode 100644 nursery/persist-via-print-processors-registry-key.yml
 create mode 100644 nursery/persist-via-wmi-event-subscription.yml

diff --git a/nursery/persist-via-application-shimming.yml b/nursery/persist-via-application-shimming.yml
new file mode 100644
index 00000000..cca43ce6
--- /dev/null
+++ b/nursery/persist-via-application-shimming.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: persist via application shimming
+    namespace: persistence/file-system-and-registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Application Shimming [T1546.011]
+    references:
+      - https://cloud.google.com/blog/topics/threat-intelligence/fin7-shim-databases-persistence/
+  features:
+    - or:
+      - and:
+        - match: set registry value
+        - string: /Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\/i
+        - string: /DatabasePath/i
+      - and:
+        - or:
+          - match: copy file
+          - match: move file
+          - match: host-interaction/file-system/write
+        - string: /.sdb/i
diff --git a/nursery/persist-via-bits-job.yml b/nursery/persist-via-bits-job.yml
new file mode 100644
index 00000000..dbcbe1b0
--- /dev/null
+++ b/nursery/persist-via-bits-job.yml
@@ -0,0 +1,29 @@
+rule:
+  meta:
+    name: persist via BITS job
+    namespace: persistence/custom-db
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::BITS Jobs [T1197]
+    references:
+      - https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/
+  features:
+    - or:
+      - and:
+        - api: ole32.CoCreateInstance
+        - string: "4991d34b-80a1-4291-83b6-3328366b9097" # BITS
+      - and:
+        - match: host-interaction/process/create
+        - or:
+          - and:
+            - string: /bitsadmin(|\.exe) /i
+            - string: /\/SetNotifyCmdLine/i
+          - and:
+            - or:
+              - string: /Set-BitsTransfer /i
+              - string: /Start-BitsTransfer /i
+            - string: / -NotifyCmdLine /i
diff --git a/nursery/persist-via-print-processors-registry-key.yml b/nursery/persist-via-print-processors-registry-key.yml
new file mode 100644
index 00000000..71768ef8
--- /dev/null
+++ b/nursery/persist-via-print-processors-registry-key.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: persist via Print Processors registry key
+    namespace: persistence/file-system-and-registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Print Processors [T1547.012]
+    references:
+      - https://stmxcsr.com/persistence/print-processor.html
+  features:
+    - or:
+      - and:
+        - match: set registry value
+        - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Environments\\.*\\Print Processors\\/i
+        - string: /^Driver$/i
+      - and:
+        - or:
+          - match: copy file
+          - match: move file
+          - match: host-interaction/file-system/write
+        - string: /\\spool\\PRTPROCS\\/i
diff --git a/nursery/persist-via-wmi-event-subscription.yml b/nursery/persist-via-wmi-event-subscription.yml
new file mode 100644
index 00000000..459bea4e
--- /dev/null
+++ b/nursery/persist-via-wmi-event-subscription.yml
@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: persist via WMI event subscription
+    namespace: persistence/custom-db
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Windows Management Instrumentation Event Subscription [T1546.003]
+    references:
+      - https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
+      - https://cloud.google.com/blog/topics/threat-intelligence/dissecting-one-ofap/
+  features:
+    - or:
+      - and:
+        - api: ole32.CoCreateInstance
+        - string: "4590F811-1D3A-11D0-891F-00AA004B2E24" # IWbemLocator
+      - and:
+        - match: host-interaction/process/create
+        - or:
+          - string: /wmic(|\.exe) /i
+          - string: /Register-WMIEvent /i