Register New IFiltre For Persistence

calendar Mar 26, 2024 · attack.persistence  ·
Share on: linkedin copy

Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.

Sigma rule (View on GitHub)

 1title: Register New IFiltre For Persistence
 2id: b23818c7-e575-4d13-8012-332075ec0a2b
 3status: experimental
 4description: |
 5    Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.
 6    You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.    
 7references:
 8    - https://persistence-info.github.io/Data/ifilters.html
 9    - https://twitter.com/0gtweet/status/1468548924600459267
10    - https://github.com/gtworek/PSBits/tree/master/IFilter
11    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022/07/21
14modified: 2024/03/26
15tags:
16    - attack.persistence
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection_ext:
22        TargetObject|contains|all:
23            - '\SOFTWARE\Classes\.'
24            - '\PersistentHandler'
25    selection_clsid:
26        TargetObject|contains|all:
27            - '\SOFTWARE\Classes\CLSID'
28            - '\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}'
29    filter_default_targets:
30        TargetObject|contains:
31            # TODO: Add the default extension PersistentHandler.
32            # Note this could also offer blindspot as the attacker could use on of these and hijack them
33            - '\CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\' # Office Open XML Format PowerPoint Persistent Handler
34            - '\CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\' # Office Open XML Format Excel Persistent Handler
35            - '\CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\' # Office Open XML Format Word Persistent Handler
36            - '\CLSID\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\' # Microsoft OneNote Windows Desktop Search IFilter Persistent handler
37            - '\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\' # Null persistent handler
38            - '\CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\' # PDF Persistent Handler
39            - '\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\' # rtf persistent handler
40            - '\CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\' # Open Document Format ODT Persistent Handler
41            - '\CLSID\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\' # Zip Persistent Handler
42            - '\CLSID\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\' # Open Document Format ODS Persistent Handler
43            - '\CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
44            - '\CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
45            - '\CLSID\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\' # Setting Content File Persistent Handler
46            - '\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\' # Plain Text persistent handler
47            - '\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\' # Wordpad OOXML Document Filter
48            - '\CLSID\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\' # XML File Persistent Handler
49            - '\CLSID\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\' # .url File Persistent Handler
50            - '\CLSID\{9694E38A-E081-46ac-99A0-8743C909ACB6}\' # html persistent handler for mapi email
51            - '\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\' # Microsoft Office Persistent Handler
52            - '\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\' # Wordpad ODT Document Filter
53            - '\CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\' # Office Open XML Format Excel Persistent Handler
54            - '\CLSID\{d044309b-5da6-4633-b085-4ed02522e5a5}\' # App Content File Persistent Handler
55            - '\CLSID\{D169C14A-5148-4322-92C8-754FC9D018D8}\' # rtf persistent handler for mapi email
56            - '\CLSID\{DD75716E-B42E-4978-BB60-1497B92E30C4}\' # text persistent handler for mapi email
57            - '\CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\' # Open Document Format ODP Persistent Handler
58            - '\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\' # Microsoft OneNote Section persistent handler
59            - '\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}' # HTML File persistent handler
60            # - '\CLSID\{F6F00E65-9CAF-43BB-809A-38AA4621BCF2}' # XMind Persistent Handler (not present by default)
61            - '\CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\' # Office Outlook MSG Persistent Handler
62    filter_generic_paths:
63        Image|startswith:
64            # Note: We assume if an attacker has access to one of these directories. Then he already has admin.
65            - 'C:\Windows\System32\'
66            - 'C:\Program Files (x86)\'
67            - 'C:\Program Files\'
68    condition: 1 of selection_* and not 1 of filter_*
69falsepositives:
70    - Legitimate registration of IFilters by the OS or software
71level: medium

References

Related rules

to-top