← Back to Explore
sigmahighHunting
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Detection Query
selection_global_flag:
TargetObject|contains|all:
- \Microsoft\Windows NT\CurrentVersion\
- \Image File Execution Options\
- \GlobalFlag
selection_silent_process:
TargetObject|contains|all:
- \Microsoft\Windows NT\CurrentVersion\
- \SilentProcessExit\
TargetObject|contains:
- \ReportingMode
- \MonitorProcess
condition: 1 of selection_*
Author
Karneades, Jonhnathan Ribeiro, Florian Roth
Created
2018-04-11
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1546.012car.2013-01-002
Raw Content
title: Potential Persistence Via GlobalFlags
id: 36803969-5421-41ec-b92f-8500f79c23b0
related:
- id: c81fe886-cac0-4913-a511-2822d72ff505
type: obsolete
status: test
description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
author: Karneades, Jonhnathan Ribeiro, Florian Roth
date: 2018-04-11
modified: 2023-06-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1546.012
- car.2013-01-002
logsource:
category: registry_set
product: windows
detection:
selection_global_flag:
TargetObject|contains|all:
- '\Microsoft\Windows NT\CurrentVersion\'
- '\Image File Execution Options\'
- '\GlobalFlag'
selection_silent_process:
TargetObject|contains|all:
- '\Microsoft\Windows NT\CurrentVersion\'
- '\SilentProcessExit\'
TargetObject|contains:
- '\ReportingMode'
- '\MonitorProcess'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high