Techniques
Sample rules
Potential Persistence Via Custom Protocol Handler
- source: sigma
- technicques:
- t1112
Description
Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic_locations:
Image|startswith:
- C:\Program Files (x86)
- C:\Program Files\
- C:\Windows\System32\
- C:\Windows\SysWOW64\
filter_main_ms_trusted:
Details|startswith: URL:ms-
selection:
Details|startswith: 'URL:'
TargetObject|startswith: HKCR\