-
-
Notifications
You must be signed in to change notification settings - Fork 205
Expand file tree
/
Copy pathpersistence_potential_mandatory_profile_registry_persistence.yml
More file actions
39 lines (36 loc) · 1.48 KB
/
persistence_potential_mandatory_profile_registry_persistence.yml
File metadata and controls
39 lines (36 loc) · 1.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Potential mandatory profile registry persistence
id: e9c9fa57-5088-4d40-8a5e-2aa70ec6e189
version: 1.0.1
description: |
Identifies suspicious creation of the NTUSER.MAN file within user profile
directories, a lesser-known persistence technique that abuses mandatory
user profiles. By planting a crafted NTUSER.MAN, an attacker can force
Windows to load attacker-controlled registry settings at every logon,
achieving durable boot or logon persistence.
labels:
tactic.id: TA0003
tactic.name: Persistence
tactic.ref: https://attack.mitre.org/tactics/TA0003/
technique.id: T1547
technique.name: Boot or Logon Autostart Execution
technique.ref: https://attack.mitre.org/techniques/T1547/
subtechnique.id: T1547.001
subtechnique.name: Registry Run Keys / Startup Folder
subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/
references:
- https://deceptiq.com/blog/ntuser-man-registry-persistence
- https://github.com/MHaggis/notes/tree/master/utilities/MandatoryProfilePersistence
condition: >
create_file and
evt.pid != 4 and ps.token.integrity_level != 'SYSTEM' and
file.path imatches '?:\\Users\\*\\NTUSER.MAN' and
ps.exe not imatches
(
'?:\\Windows\\System32\\userinit.exe',
'?:\\Windows\\System32\\winlogon.exe'
) and
not (ps.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.cmdline matches '*-k UserProfileService -p -s ProfSvc')
action:
- name: kill
severity: high
min-engine-version: 3.0.0