Potential Persistence Via Custom Protocol Handler

 1title: Potential Persistence Via Custom Protocol Handler
 2id: fdbf0b9d-0182-4c43-893b-a1eaab92d085
 3status: test
 4description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
 5references:
 6    - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-05-30
 9modified: 2023-05-12
10tags:
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.t1112
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|startswith: 'HKCR\'
20        Details|startswith: 'URL:'
21    filter_main_ms_trusted:
22        Details|startswith: 'URL:ms-' # Microsoft Protocols usually start with "ms-"
23    filter_main_generic_locations:
24        Image|startswith: # Add more folders to avoid FP
25            - 'C:\Program Files (x86)'
26            - 'C:\Program Files\'
27            - 'C:\Windows\System32\'
28            - 'C:\Windows\SysWOW64\'
29    # Uncomment This section to add specific Protocol Handler names that are know
30    # filter_specific:
31    #     Details: 'URL:'
32    condition: selection and not 1 of filter_main_*
33falsepositives:
34    - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.
35level: medium