Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

Add modification-of-exefile-shell-open-key.md #431

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add modification-of-exefile-shell-open-key.md #431

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions Persistence/modification-of-exefile-shell-open-key.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Modification of exefile shell open key

Detect modification of the exefile shell open command, which is used to persist on a system without having to add other persistence mechanism. MITRE ATT&CK is T1546.001 (Event Triggered Execution: Change Default File Association).

The detection logic is also included in the [Sigma rule for asep modification.](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml) or in [Shell Open Registry Keys Manipulation](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml) too.

## Query

```
// # exefile file handler open command manipulation
//
// MITRE ATT&CK: T1546.001 - Event Triggered Execution: Change Default File Association
//
// Registry edits by campaigns using lokibot malware (November 2021)
//
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"Classes\exefile\shell\open\command"
| project DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, DeviceId, Timestamp
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | | |
| Execution | | |
| Persistence | v | T1546.001, [Lokibot sample from Nov 2021](https://tria.ge/211119-gs7rtshcfr/behavioral2) |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Exploit | | |
| Misconfiguration | | |
| Malware, component | | |
| Ransomware | | |


## Contributor info
**Contributor:** Andreas Hunkeler
**GitHub alias:** @Karneades
**Organization:** Swisscom (Schweiz) AG

**Contact info:** https://twitter.com/swisscom_csirt