heroui logo

Potential Persistence Via Event Viewer Events.asp

Sigma Rules

View Source
Summary
This detection rule targets potential persistence mechanisms that utilize Windows Event Viewer to execute arbitrary scripts or commands by leveraging registry modifications. Specifically, it examines registry keys associated with the Event Viewer for unusual entries that could redirect execution to potentially malicious programs. The technique, often referred to in the context of persistence, relies on manipulating the Event Viewer configuration settings, particularly those pointing to 'MicrosoftRedirectionProgram' and 'MicrosoftRedirectionURL'. The rule employs several conditions to filter out legitimate activity from malware behavior, ensuring that only suspicious modifications trigger alerts. This includes checking that the process utilizing the redirection program is the legitimate Windows service host (svchost.exe) while monitoring for specific details that suggest harmful intent, such as unusual URLs or command line parameters. By combining these checks, the rule seeks to identify attempts to maintain persistence in a Windows environment via the Event Viewer.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
ATT&CK Techniques
  • T1112
Created: 2023-02-17