Find sigma rule

Attack: Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

MITRE

Tactic

privilege-escalation
persistence

technique

T1546

Test : HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)

OS

windows

Description:

An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed. reference

Executor

powershell

Sigma Rule

registry_set_asep_reg_keys_modification_common.yml (id: f59c3faf-50f3-464b-9f4c-1b67ab512d99)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test