Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Sigma rule (View on GitHub)
1title: Potential Persistence Via GlobalFlags
2id: 36803969-5421-41ec-b92f-8500f79c23b0
3related:
4 - id: c81fe886-cac0-4913-a511-2822d72ff505
5 type: obsolete
6status: test
7description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
8references:
9 - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
10 - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
11author: Karneades, Jonhnathan Ribeiro, Florian Roth
12date: 2018-04-11
13modified: 2023-06-05
14tags:
15 - attack.privilege-escalation
16 - attack.persistence
17 - attack.t1546.012
18 - car.2013-01-002
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection_global_flag:
24 TargetObject|contains|all:
25 - '\Microsoft\Windows NT\CurrentVersion\'
26 - '\Image File Execution Options\'
27 - '\GlobalFlag'
28 selection_silent_process:
29 TargetObject|contains|all:
30 - '\Microsoft\Windows NT\CurrentVersion\'
31 - '\SilentProcessExit\'
32 TargetObject|contains:
33 - '\ReportingMode'
34 - '\MonitorProcess'
35 condition: 1 of selection_*
36falsepositives:
37 - Unknown
38level: high
References
Related rules
- Potential Persistence Via App Paths Default Property
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation