[ { "path": "Persistence/Registry Autoruns/Appinit Dlls", "content": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\nHKLM\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" }, { "path": "Persistence/Registry Autoruns/Boot Execute", "content": "HKLM\\System\\CurrentControlSet\\Control\\ServiceControlManagerExtension\nHKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute\nHKLM\\System\\CurrentControlSet\\Control\\Session Manager\\Execute\nHKLM\\System\\CurrentControlSet\\Control\\Session Manager\\S0InitialCommand\nHKLM\\System\\CurrentControlSet\\Control\\Session Manager\\SetupExecute" }, { "path": "Persistence/Registry Autoruns/Codecs", "content": "HKCU\\Software\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance\nHKCU\\Software\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance\nHKCU\\Software\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance\nHKCU\\Software\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance\nHKCU\\Software\\Classes\\Filter\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\nHKCU\\Software\\Wow6432Node\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance\nHKCU\\Software\\Wow6432Node\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance\nHKCU\\Software\\Wow6432Node\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance\nHKCU\\Software\\Wow6432Node\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance\nHKCU\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\nHKLM\\Software\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance\nHKLM\\Software\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance\nHKLM\\Software\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance\nHKLM\\Software\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance\nHKLM\\Software\\Classes\\Filter\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\nHKLM\\Software\\Wow6432Node\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance\nHKLM\\Software\\Wow6432Node\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance\nHKLM\\Software\\Wow6432Node\\Classes\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance\nHKLM\\Software\\Wow6432Node\\Classes\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance\nHKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32" }, { "path": "Persistence/Registry Autoruns/Drivers", "content": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Font Drivers\nHKLM\\System\\CurrentControlSet\\Services" }, { "path": "Persistence/Registry Autoruns/Explorer", "content": "HKCU\\Software\\Classes\\*\\ShellEx\\ContextMenuHandlers\nHKCU\\Software\\Classes\\*\\ShellEx\\PropertySheetHandlers\nHKCU\\Software\\Classes\\AllFileSystemObjects\\ShellEx\\ContextMenuHandlers\nHKCU\\Software\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers\nHKCU\\Software\\Classes\\AllFileSystemObjects\\ShellEx\\PropertySheetHandlers\nHKCU\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32\nHKCU\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers\nHKCU\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers\nHKCU\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers\nHKCU\\Software\\Classes\\Directory\\Shellex\\DragDropHandlers\nHKCU\\Software\\Classes\\Directory\\Shellex\\PropertySheetHandlers\nHKCU\\Software\\Classes\\Drive\\ShellEx\\ContextMenuHandlers\nHKCU\\Software\\Classes\\Folder\\Shellex\\ColumnHandlers\nHKCU\\Software\\Classes\\Folder\\ShellEx\\ContextMenuHandlers\nHKCU\\Software\\Classes\\Folder\\ShellEx\\DragDropHandlers\nHKCU\\Software\\Classes\\Folder\\ShellEx\\ExtShellFolderViews\nHKCU\\Software\\Classes\\Folder\\ShellEx\\PropertySheetHandlers\nHKCU\\SOFTWARE\\Classes\\Protocols\\Filter\nHKCU\\SOFTWARE\\Classes\\Protocols\\Handler\nHKCU\\Software\\Microsoft\\Ctf\\LangBarAddin\nHKCU\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\nHKLM\\Software\\Classes\\*\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Classes\\*\\ShellEx\\PropertySheetHandlers\nHKLM\\Software\\Classes\\AllFileSystemObjects\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers\nHKLM\\Software\\Classes\\AllFileSystemObjects\\ShellEx\\PropertySheetHandlers\nHKLM\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers\nHKLM\\Software\\Classes\\Directory\\Shellex\\DragDropHandlers\nHKLM\\Software\\Classes\\Directory\\Shellex\\PropertySheetHandlers\nHKLM\\Software\\Classes\\Drive\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Classes\\Folder\\Shellex\\ColumnHandlers\nHKLM\\Software\\Classes\\Folder\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Classes\\Folder\\ShellEx\\DragDropHandlers\nHKLM\\Software\\Classes\\Folder\\ShellEx\\ExtShellFolderViews\nHKLM\\Software\\Classes\\Folder\\ShellEx\\PropertySheetHandlers\nHKLM\\SOFTWARE\\Classes\\Protocols\\Filter\nHKLM\\SOFTWARE\\Classes\\Protocols\\Handler\nHKLM\\Software\\Microsoft\\Ctf\\LangBarAddin\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\nHKLM\\Software\\Wow6432Node\\Classes\\*\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\*\\ShellEx\\PropertySheetHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\AllFileSystemObjects\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\AllFileSystemObjects\\ShellEx\\PropertySheetHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Directory\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Directory\\Shellex\\CopyHookHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Directory\\Shellex\\DragDropHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Directory\\Shellex\\PropertySheetHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Drive\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Folder\\Shellex\\ColumnHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Folder\\ShellEx\\ContextMenuHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Folder\\ShellEx\\DragDropHandlers\nHKLM\\Software\\Wow6432Node\\Classes\\Folder\\ShellEx\\ExtShellFolderViews\nHKLM\\Software\\Wow6432Node\\Classes\\Folder\\ShellEx\\PropertySheetHandlers\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\nHKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks\nHKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad" }, { "path": "Persistence/Registry Autoruns/Image Hijacks", "content": "HKCU\\Software\\Classes\\.cmd\nHKCU\\Software\\Classes\\.exe\nHKCU\\SOFTWARE\\Classes\\Exefile\\Shell\\Open\\Command\\(Default)\nHKCU\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)\nHKCU\\Software\\Microsoft\\Command Processor\\Autorun\nHKLM\\Software\\Classes\\.cmd\nHKLM\\Software\\Classes\\.exe\nHKLM\\SOFTWARE\\Classes\\Exefile\\Shell\\Open\\Command\\(Default)\nHKLM\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)\nHKLM\\Software\\Microsoft\\Command Processor\\Autorun\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\nHKLM\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun\nHKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" }, { "path": "Persistence/Registry Autoruns/Internet Explorer", "content": "HKCU\\Software\\Microsoft\\Internet Explorer\\Explorer Bars\nHKCU\\Software\\Microsoft\\Internet Explorer\\Extensions\nHKCU\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks\nHKCU\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Explorer Bars\nHKCU\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions\nHKLM\\Software\\Microsoft\\Internet Explorer\\Explorer Bars\nHKLM\\Software\\Microsoft\\Internet Explorer\\Extensions\nHKLM\\Software\\Microsoft\\Internet Explorer\\Toolbar\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\nHKLM\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Explorer Bars\nHKLM\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions\nHKLM\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Toolbar\nHKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects" }, { "path": "Persistence/Registry Autoruns/KnownDlls", "content": "HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls" }, { "path": "Persistence/Registry Autoruns/LSA Providers", "content": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SecurityProviders" }, { "path": "Persistence/Registry Autoruns/Logon", "content": "HKCU\\Environment\\UserInitMprLogonScript\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\nHKCU\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\nHKCU\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\nHKCU\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\nHKCU\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nHKCU\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\nHKLM\\Environment\\UserInitMprLogonScript\nHKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\nHKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\nHKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AlternateShells\\AvailableShells\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\nHKLM\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\nHKLM\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\nHKLM\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\nHKLM\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStartOnConnect\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell\nHKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" }, { "path": "Persistence/Registry Autoruns/Network Providers", "content": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order" }, { "path": "Persistence/Registry Autoruns/Office", "content": "HKCU\\SOFTWARE\\Microsoft\\Office test\\Special\\Perf\\(Default)\nHKCU\\Software\\Microsoft\\Office\\Access\\Addins\nHKCU\\Software\\Microsoft\\Office\\Excel\\Addins\nHKCU\\Software\\Microsoft\\Office\\Outlook\\Addins\nHKCU\\Software\\Microsoft\\Office\\PowerPoint\\Addins\nHKCU\\Software\\Microsoft\\Office\\Word\\Addins\nHKCU\\Software\\Wow6432Node\\Microsoft\\Office\\Access\\Addins\nHKCU\\Software\\Wow6432Node\\Microsoft\\Office\\Excel\\Addins\nHKCU\\Software\\Wow6432Node\\Microsoft\\Office\\Outlook\\Addins\nHKCU\\Software\\Wow6432Node\\Microsoft\\Office\\PowerPoint\\Addins\nHKCU\\Software\\Wow6432Node\\Microsoft\\Office\\Word\\Addins\nHKLM\\SOFTWARE\\Microsoft\\Office test\\Special\\Perf\\(Default)\nHKLM\\Software\\Microsoft\\Office\\Access\\Addins\nHKLM\\Software\\Microsoft\\Office\\Excel\\Addins\nHKLM\\Software\\Microsoft\\Office\\Outlook\\Addins\nHKLM\\Software\\Microsoft\\Office\\PowerPoint\\Addins\nHKLM\\Software\\Microsoft\\Office\\Word\\Addins\nHKLM\\Software\\Wow6432Node\\Microsoft\\Office\\Access\\Addins\nHKLM\\Software\\Wow6432Node\\Microsoft\\Office\\Excel\\Addins\nHKLM\\Software\\Wow6432Node\\Microsoft\\Office\\Outlook\\Addins\nHKLM\\Software\\Wow6432Node\\Microsoft\\Office\\PowerPoint\\Addins\nHKLM\\Software\\Wow6432Node\\Microsoft\\Office\\Word\\Addins" }, { "path": "Persistence/Registry Autoruns/Print Monitor", "content": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Providers" }, { "path": "Persistence/Registry Autoruns/Services", "content": "HKLM\\System\\CurrentControlSet\\Services\nHKLM\\System\\ControlSet001\nHKLM\\System\\ControlSet002" }, { "path": "Persistence/Registry Autoruns/WinLogon", "content": "HKLM\\SYSTEM\\Setup\\CmdLine\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider Filters\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\PLAP Providers\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman\nHKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe\nHKCU\\Control Panel\\Desktop\\Scrnsave.exe\nHKLM\\System\\CurrentControlSet\\Control\\BootVerificationProgram\\ImagePath\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions" }, { "path": "Persistence/Registry Autoruns/WinSocket Providers", "content": "HKLM\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5\\Catalog_Entries64\nHKLM\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\nHKLM\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries64" }, { "path": "README.md", "content": "Windows-Hunting\n\nThe Purpose of this repository is to aid windows threat hunters to look for some common artifacts during their day to day operations.\n\nFeel free to contirbute." }, { "path": "WindowsDefenderATP Hunting Queries /APT_IR_CNC_Possible RDP Tunnel", "content": "// Possible RDP tunnel\nProcessCreationEvents | where EventTime > ago(10d)\n| where (ProcessCommandLine contains \":3389\" or ProcessCommandLine contains \":6511\")\n| project EventTime, ComputerName, AccountName, InitiatingProcessFileName, ActionType, FileName, ProcessCommandLine, InitiatingProcessCommandLine" }, { "path": "WindowsDefenderATP Hunting Queries /APT_IR_CNC_rdp enable", "content": "// Allow RDP connection\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where ( ProcessCommandLine contains \"SC CONFIG\" and ProcessCommandLine contains \"DISABLED\" and ProcessCommandLine contains \"wuauserv\" )\nor (ProcessCommandLine contains \"Terminal Serve\" and ProcessCommandLine contains \"fDenyTSConnections\" and ProcessCommandLine contains \"0x0\" )\n//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName" }, { "path": "WindowsDefenderATP Hunting Queries /APT_IR_Execution_Echo", "content": "// inf file echo creation\nProcessCreationEvents \n| where EventTime > ago(17d)\n| where ProcessCommandLine contains \"echo\" and ProcessCommandLine contains \".inf\"\n//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName " }, { "path": "WindowsDefenderATP Hunting Queries /APT_IR_Persistance_AccountCreation", "content": "// Accounts Creation\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where ProcessCommandLine contains \"net user\" and ProcessCommandLine contains \"/add\"\n//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName" }, { "path": "WindowsDefenderATP Hunting Queries /APT_IR_Persistance_LocalAccounts", "content": "// Local Accounts Activation\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where ProcessCommandLine contains \"Administrator /active:yes\" or ProcessCommandLine contains \"guest /active:yes\" \n//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName" }, { "path": "WindowsDefenderATP Hunting Queries /APT_IR_Persistance_LocalGroups", "content": "// User Addition to Local Groups\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where ProcessCommandLine contains \"localgroup\" and ProcessCommandLine contains \"/add\" and ( ProcessCommandLine contains \"Remote Desktop Users\" or ProcessCommandLine contains \"administrators\")\n//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName" }, { "path": "WindowsDefenderATP Hunting Queries /APT_IR_Persistance_secedit", "content": "// Service Creation\n// Look for 'InitiatingProcessFileName'\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName contains \"SECEDIT\" \n//| where ProcessCommandLine == @\"secedit.exe /export /cfg ** .inf\"\n| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName" }, { "path": "WindowsDefenderATP Hunting Queries /Alert_Summary by AlertTitle", "content": "AlertEvents \n| where EventTime > ago(7d)\n| summarize makeset(FileName), dcount(FileName), makeset(ComputerName), makeset(Category), dcount(ComputerName) by Title \n| sort by dcount_ComputerName desc" }, { "path": "WindowsDefenderATP Hunting Queries /Alert_Summary by Category", "content": "AlertEvents \n| where EventTime > ago(7d)\n| summarize dcount(ComputerName), dcount(FileName), makeset(FileName), makeset(ComputerName) by Category, Severity\n| sort by dcount_ComputerName desc" }, { "path": "WindowsDefenderATP Hunting Queries /Alert_Summary by ComputerName", "content": "AlertEvents \n| where EventTime > ago(7d)\n| summarize dcount(Category), dcount(FileName), makeset(Category), makeset(FileName) by ComputerName, Severity\n| sort by dcount_Category desc " }, { "path": "WindowsDefenderATP Hunting Queries /Alert_Summary by FIleName", "content": "AlertEvents \n| where EventTime > ago(7d)\n| summarize dcount(ComputerName), dcount(Category), makeset(Severity), makeset(Category), makeset(ComputerName) by FileName\n| sort by dcount_ComputerName desc" }, { "path": "WindowsDefenderATP Hunting Queries /Alert_WDAVDetection", "content": "MiscEvents \n| where EventTime > ago(17d)\n| where ActionType == \"WDAVDetection\"\n| summarize makeset(FileName), makeset(InitiatingProcessParentFileName), makeset(InitiatingProcessFileName), makeset(InitiatingProcessCommandLine), makeset(FolderPath), makeset(InitiatingProcessFolderPath) , makeset(AccountName ) by ComputerName " }, { "path": "WindowsDefenderATP Hunting Queries /Indication_ClearEventlog", "content": "// Call ClearEventlog\nProcessCreationEvents \n| where EventTime > ago(10d)\n| where ProcessCommandLine contains \"call ClearEventlog\" or InitiatingProcessCommandLine contains \"call ClearEventlog\" \n| summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName) by InitiatingProcessFileName, ProcessCommandLine\n| sort by dcount_ComputerName desc " }, { "path": "WindowsDefenderATP Hunting Queries /Indication_OutPut_Redirection", "content": "// OutPut Redirection\nProcessCreationEvents \n| where EventTime > ago(10d)\n| where ProcessCommandLine contains \"2>&1\"\n| summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName) by InitiatingProcessFileName, ProcessCommandLine\n| sort by dcount_ComputerName desc " }, { "path": "WindowsDefenderATP Hunting Queries /Indication_RemoteShareMounting", "content": "// Remote Share Mounting\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where ProcessCommandLine contains \"net.exe\"\n| where ProcessCommandLine contains \"\\\\c$\" or ProcessCommandLine contains \"\\\\admin$\" or ProcessCommandLine contains \"\\\\ipc$\"" }, { "path": "WindowsDefenderATP Hunting Queries /Indication_Tool_IMPACKET artifact", "content": "// Default IMPACKET artifact in cmdln\nProcessCreationEvents \n| where EventTime > ago(10d)\n| where ProcessCommandLine contains \"127.0.0.1\\\\ADMIN$\\\\\" and ProcessCommandLine contains \"2>&1\"\n| project EventTime , InitiatingProcessFileName , ProcessCommandLine, AccountName , ComputerName \n| sort by InitiatingProcessFileName desc\n| top 1000 by EventTime" }, { "path": "WindowsDefenderATP Hunting Queries /Indication_Tool_ProcDump_possible", "content": "// Possible Procdump\nProcessCreationEvents \n| where EventTime > ago(10d)\n| where (ProcessCommandLine contains \"-accepteula\" and ProcessCommandLine contains \"1>\") or (ProcessCommandLine contains \"-accepteula\" and ProcessCommandLine contains \"-ma\")\n| summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName) by InitiatingProcessFileName, ProcessCommandLine\n| sort by dcount_ComputerName desc " }, { "path": "WindowsDefenderATP Hunting Queries /Network_Cscript_Wscript", "content": "NetworkCommunicationEvents \n| where EventTime > ago(7d)\n| where InitiatingProcessFileName in (\"cscript.exe\", \"wscript.exe\")\n| summarize makeset(InitiatingProcessParentName), makeset(RemoteUrl), makeset(RemotePort), makeset(InitiatingProcessAccountName) ,dcount(RemoteUrl) by InitiatingProcessCommandLine\n| sort by dcount_RemoteUrl desc " }, { "path": "WindowsDefenderATP Hunting Queries /Network_PowerShell", "content": "NetworkCommunicationEvents \n| where EventTime > ago(1d)\n| where InitiatingProcessFileName =~ \"powershell.exe\"\n| summarize makeset(RemoteUrl), makeset(RemotePort), makeset(InitiatingProcessAccountName) ,dcount(RemoteUrl) by InitiatingProcessCommandLine\n| sort by dcount_RemoteUrl desc " }, { "path": "WindowsDefenderATP Hunting Queries /Process_Bitsadmin Executions", "content": "// Bitsadmin Executions\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName contains \"bitsadmin.exe\"\n| where ProcessCommandLine contains \"/TRANSFER\" or ProcessCommandLine contains \"/CREATE\" or ProcessCommandLine contains \"/ADDFILE\"\nor ProcessCommandLine contains \"/SETPROXY\" or ProcessCommandLine contains \"/SETNOTIFYCMDLINE\" or ProcessCommandLine contains \"/SETCUSTOMHEADERS\"\nor ProcessCommandLine contains \"/SETSECURITYFLAGS\" or ProcessCommandLine contains \"/SETREPLYFILENAME\"\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName \n| top 1000 by EventTime" }, { "path": "WindowsDefenderATP Hunting Queries /Process_Bitsadmin transfer", "content": "// download using bitsadmin\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"bitsadmin.exe\"\n| where ProcessCommandLine contains \"/transfer\"\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName \n| top 1000 by EventTime" }, { "path": "WindowsDefenderATP Hunting Queries /Process_Certutil_decode in appdata", "content": "// Certutil Decode in Appdata\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"certutil.exe\"\n| where ProcessCommandLine contains \"-decode\" and ProcessCommandLine contains \"\\\\AppData\\\\\"\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName \n| top 1000 by EventTime" }, { "path": "WindowsDefenderATP Hunting Queries /Process_Possible_MSOffice_Abuse", "content": "// Possible_MSOffice_Abuse\nProcessCreationEvents \n| where EventTime > ago(1d)\n| where InitiatingProcessParentName contains \"winword.exe\" or InitiatingProcessParentName contains \"excel.exe\" or InitiatingProcessParentName contains \"powerpnt.exe\"\n| where FileName contains \"cscript\" or FileName contains \"wscript\" or FileName contains \"powershell\"\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentName, AccountName \n| top 1000 by EventTime" }, { "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_Control_RunDLL", "content": "// Control_RunDLL\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"rundll32.exe\"\n| where ProcessCommandLine contains \",Control_RunDLL\"\n| summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName) by InitiatingProcessFileName, ProcessCommandLine\n| sort by dcount_ComputerName desc " }, { "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_DllRegisterServer", "content": "// Control_RunDLL\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"rundll32.exe\"\n| where ProcessCommandLine contains \"DllRegisterServer\"\n| summarize makeset(ComputerName), makeset(AccountName) by InitiatingProcessFileName, ProcessCommandLine\n| sort by InitiatingProcessFileName asc " }, { "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_Sus", "content": "// Suspicious executions\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"rundll32.exe\"\n| where InitiatingProcessFileName in (\"winword.exe\" , \"excel.exe\" , \"cscript.exe\" , \"wscript.exe\" , \"mshta.exe\" )\n| summarize makeset(ComputerName), makeset(AccountName) by InitiatingProcessFileName, ProcessCommandLine\n| sort by InitiatingProcessFileName asc " }, { "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_possible hta remote", "content": "// Control_RunDLL\nProcessCreationEvents \n| where EventTime > ago(1d)\n| where FileName =~ \"rundll32.exe\"\n| where ProcessCommandLine contains \"mshtml,RunHTMLApplication\"\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName \n| top 1000 by EventTime" }, { "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_roaming", "content": "// Remote Executions\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"rundll32.exe\"\n| where ProcessCommandLine contains \"\\\\roaming\\\\\"\n| where ProcessCommandLine !contains \"\\\\STREAM Interactive (Emirates).appref-ms|\"\n| summarize makeset(ComputerName), makeset(AccountName) by InitiatingProcessFileName, ProcessCommandLine\n| sort by InitiatingProcessFileName asc " }, { "path": "WindowsDefenderATP Hunting Queries /Process_at.exe execution", "content": "ProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"at.exe\"\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName \n| top 1000 by EventTime" }, { "path": "WindowsDefenderATP Hunting Queries /Process_wmic_process call", "content": "// wmic process call\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"WMIC.exe\"\n| where ProcessCommandLine contains \"process call create\"\n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName \n| top 1000 by EventTime" }, { "path": "WindowsDefenderATP Hunting Queries /Process_wscript_js execution", "content": "// wscript - js execution\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"wscript.exe\"\n| where ProcessCommandLine contains \".js\"\n| summarize makeset(ComputerName), makeset(AccountName) by InitiatingProcessFileName, ProcessCommandLine\n| sort by InitiatingProcessFileName asc " }, { "path": "WindowsDefenderATP Hunting Queries /Process_wscript_suspicious rar:zip", "content": "// wscript - Suspicious rar/zip userprofile execution\nProcessCreationEvents \n| where EventTime > ago(7d)\n| where FileName =~ \"wscript.exe\"\n| where ProcessCommandLine contains \"\\\\appdata\\\\\" and ProcessCommandLine contains \".zip\" or ProcessCommandLine contains \"\\\\Rar$*\\\\\" \n| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName \n| top 1000 by EventTime" }, { "path": "WindowsDefenderATP Hunting Queries /SHELL Detection/Persistence_Potential DLL WebShell_Suspicious IIS module detected", "content": "// Name: Persistence_Potential DLL WebShell_Suspicious IIS module detected\n// Risk Level: HIGH\n// Justification: - DLL Web shells are hard to detect as it can run persistantly over the IIS Modules as TransportModule.\n// - As any other Web shell, DLL Web shells provide a set of functions to execute or a command-line interface on the system that hosts the Web server\n// Supporting Investigation Data Sources: Web Access Logs, Packets, ApplicationHost.config, Yara Scan\n// Tactic: Persistence\n// MITRE: https://attack.mitre.org/techniques/T1505/003/\n// Questions: beahunt3r@gmail.com\n\nunion DeviceProcessEvents, DeviceImageLoadEvents \n| where Timestamp > ago(7d)\n| extend CommandLine=coalesce(ProcessCommandLine,InitiatingProcessCommandLine) \n| where (FileName =~ \"appcmd.exe\" or InitiatingProcessFileName =~ \"appcmd.exe\") \n and CommandLine contains \"module\" and ( CommandLine contains \" add\" \n \t\t\t\t\t\t\t\t\t\t or CommandLine contains \" install\")\n| summarize count(), Timestamp = min(Timestamp) by DeviceId, ActionType, CommandLine, InitiatingProcessParentFileName, InitiatingProcessFileName\n//////////////////////WHITELIST FILTER CONDITIONS//////////////////////\n| where InitiatingProcessParentFileName !contains @\"\\Windows\\System32\\inetsrv\\iissetup.exe\" \n and InitiatingProcessParentFileName !in (\"iissetup.exe\")\n and InitiatingProcessFileName !in (\"iissetup.exe\")\n //and CommandLine !contains @\"\"\n//////////////////////END/////////////////////////////////////////////\n//| extend commandline=replace(@'%windir%', @'C:\\\\Windows', CommandLine)\t\t\t// Map env path to exact location\n| extend module_FolderPath = extract(\"(image|type)\\\\:([^(\\\\/|\\\\-|$)]+)(\\\\s+|$)\", 2, CommandLine)\n| extend module_FolderPath =replace(@'\\\"', @'', module_FolderPath)\n| extend module_FileName = extract(\"(.*)\\\\\\\\(.*)\", 2, module_FolderPath)\n| join (DeviceFileEvents | summarize count(), File_Create_Timestamp = min(Timestamp) by module_FileName = FileName, SHA256, ActionType, DeviceId) on module_FileName, DeviceId \t\t\t\t// Optional\n| where (Timestamp - File_Create_Timestamp) between (0min .. 1440min)\t\t\t\t// Optional\n| invoke FileProfile(SHA256) | where SignatureState != \"SignedValid\"\t\t\t\t// Optional\n" }, { "path": "WindowsDefenderATP Hunting Queries /SHELL Detection/Process_Persistence_Potential WebShell Execution", "content": "// Risk Level: HIGH\n// Justification: - Web shells will be useed by attackers for persistent access to a compromised machine. This rule will trigger when commands are executed remotely.\n// - Any matching events must be thoroughly investigated, we may endup finding a potential weakness in web application.\n// - This rule is effective aganist the recent exchange exploits\n// Supporting Investigation Data Sources: WebAccess Logs, Packets, Compile File, WebShell Yara Scan\n// Tactic: Persistence\n// MITRE: https://attack.mitre.org/techniques/T1505/003/\n// Questions: beahunt3r@gmail.com\n\nDeviceProcessEvents \n| where Timestamp > ago(7d)\n| where ( InitiatingProcessFileName == \"w3wp.exe\" // Windows process which runs Web applications\n or InitiatingProcessFileName contains \"httpd.exe\" // Apache httpd for Microsoft Windows\n or InitiatingProcessFileName contains \"tomcat\" // Apache Tomcat an open-source implementation\n or InitiatingProcessFileName contains \"appache.exe\" // Apache Web server\n or InitiatingProcessFileName contains \"nginx.exe\" // Nginx web server\n // Run a discovery search on ATP Netowrk Events to find common web services running and add here\n ) \n and FileName in (\"cmd.exe\", \"powershell.exe\")\n//////////////////////WHITELIST FILTER CONDITIONS//////////////////////\n//| where ( ProcessCommandLine !contains \"\" \n// and ProcessCommandLine !contains \"\")\n//| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName\n| extend DC_Time = bin(Timestamp, 1d)\n| summarize count(), First_Event = min(Timestamp), Last_Event = max(Timestamp), DC_Time = dcount(DC_Time), dcount(DeviceName) by ProcessCommandLine\n" }, { "path": "_config.yml", "content": "theme: jekyll-theme-time-machine" } ]