Potential Persistence Via Event Viewer Events.asp

 1title: Potential Persistence Via Event Viewer Events.asp
 2id: a1e11042-a74a-46e6-b07c-c4ce8ecc239b
 3status: test
 4description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
 5references:
 6    - https://twitter.com/nas_bench/status/1626648985824788480
 7    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks
 8    - https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-02-17
12modified: 2023-03-05
13tags:
14    - attack.persistence
15    - attack.defense-evasion
16    - attack.t1112
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        # Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs
23        # Also "MicrosoftRedirectionProgramCommandLineParameters" key
24        TargetObject|contains:
25            - '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
26            - '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL'
27    filter_default_redirect_program:
28        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
29        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
30        Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
31    filter_default_redirect_program_cli:
32        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
33        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters'
34        Details: '-url hcp://services/centers/support?topic=%%s'
35    filter_url:
36        Details: 'http://go.microsoft.com/fwlink/events.asp'
37    filter_cleaner:
38        Details: '(Empty)'
39    condition: selection and not 1 of filter_*
40falsepositives:
41    - Unknown
42level: medium

References

• x.com

  
  Read More

• Turn off Event Viewer "Events.asp" links

  Specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application.

  
  Read More

• Beyond good ol’ Run key, Part 103

  

  This is yet another feature of Windows. This time it is a configuration settings for Event Viewer. When you open the program via eventvr.exe/msc it will launch the mmc.exe which in turn will load a...

  
  Read More

• atomic-red-team/atomics/T1112/T1112.md at f296668303c29d3f4c07e42bdd2b28d8dd6625f9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
• OilRig APT Activity
• OilRig APT Registry Persistence
• OilRig APT Schedule Task Persistence - Security
• OilRig APT Schedule Task Persistence - System