LoFP LoFP / legitimate registration of ifilters by the os or software

Techniques

Sample rules

Register New IFiltre For Persistence

Description

Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.

Detection logic

condition: 1 of selection_* and not 1 of filter_*
filter_default_targets:
  TargetObject|contains:
  - \CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\
  - \CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\
  - \CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\
  - \CLSID\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\
  - \CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\
  - \CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\
  - \CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\
  - \CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\
  - \CLSID\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\
  - \CLSID\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\
  - \CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\
  - \CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\
  - \CLSID\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\
  - \CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\
  - \CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\
  - \CLSID\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\
  - \CLSID\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\
  - \CLSID\{9694E38A-E081-46ac-99A0-8743C909ACB6}\
  - \CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\
  - \CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\
  - \CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\
  - \CLSID\{d044309b-5da6-4633-b085-4ed02522e5a5}\
  - \CLSID\{D169C14A-5148-4322-92C8-754FC9D018D8}\
  - \CLSID\{DD75716E-B42E-4978-BB60-1497B92E30C4}\
  - \CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\
  - \CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\
  - \CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}
  - \CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\
filter_generic_paths:
  Image|startswith:
  - C:\Windows\System32\
  - C:\Program Files (x86)\
  - C:\Program Files\
selection_clsid:
  TargetObject|contains|all:
  - \SOFTWARE\Classes\CLSID
  - \PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}
selection_ext:
  TargetObject|contains|all:
  - \SOFTWARE\Classes\.
  - \PersistentHandler