title: Registry Persistence Mechanisms
author: Karneades, Jonhnathan Ribeiro
date: 2018/04/11
description: Detects persistence registry keys
detection:
  SELECTION_1:
    EventID: 12
  SELECTION_10:
    TargetObject: '*\MonitorProcess*'
  SELECTION_2:
    EventID: 13
  SELECTION_3:
    EventID: 14
  SELECTION_4:
    TargetObject:
    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion*'
  SELECTION_5:
    TargetObject: '*\Image File Execution Options\\*'
  SELECTION_6:
    TargetObject: '*\GlobalFlag*'
  SELECTION_7:
    TargetObject: '*SilentProcessExit\\*'
  SELECTION_8:
    TargetObject: '*\ReportingMode*'
  SELECTION_9:
    TargetObject: '*SilentProcessExit\\*'
  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and ((SELECTION_5
    and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)))
falsepositives:
- unknown
id: 36803969-5421-41ec-b92f-8500f79c23b0
level: critical
logsource:
  category: registry_event
  product: windows
modified: 2020/09/06
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
status: experimental
tags:
- attack.privilege_escalation
- attack.persistence
- attack.defense_evasion
- attack.t1183
- attack.t1546.012
- car.2013-01-002
ruletype: SIGMA