Potential Persistence Attempt Via ErrorHandler.Cmd
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
Sigma rule (View on GitHub)
1title: Potential Persistence Attempt Via ErrorHandler.Cmd
2id: 15904280-565c-4b73-9303-3291f964e7f9
3status: test
4description: |
5 Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
6 The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
7references:
8 - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
9 - https://github.com/last-byte/PersistenceSniper
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-08-09
12modified: 2022-12-19
13tags:
14 - attack.persistence
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 TargetFilename|endswith: '\WINDOWS\Setup\Scripts\ErrorHandler.cmd'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
These days I post most of the new stuff on Twitter as no one reads blogs anymore, right? 🙂 Still, good to document some of it in a more permanent way so this is the persistence bit I posted about y...
Read More -
Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made w...
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint