Potential Persistence Via Custom Protocol Handler

 1title: Potential Persistence Via Custom Protocol Handler
 2id: fdbf0b9d-0182-4c43-893b-a1eaab92d085
 3status: test
 4description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
 5references:
 6    - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/05/30
 9modified: 2023/05/12
10tags:
11    - attack.defense_evasion
12    - attack.t1112
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|startswith: 'HKCR\'
19        Details|startswith: 'URL:'
20    filter_main_ms_trusted:
21        Details|startswith: 'URL:ms-' # Microsoft Protocols usually start with "ms-"
22    filter_main_generic_locations:
23        Image|startswith: # Add more folders to avoid FP
24            - 'C:\Program Files (x86)'
25            - 'C:\Program Files\'
26            - 'C:\Windows\System32\'
27            - 'C:\Windows\SysWOW64\'
28    # Uncomment This section to add specific Protocol Handler names that are know
29    # filter_specific:
30    #     Details: 'URL:'
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.
34level: medium