CAR Analytic Submission - T1574.001 - Creation of SafeDllSearchMode

Ptylu commented 2 years ago

Creation of SafeDllSearchMode

Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order.

ATT&CK Coverage

Technique	Level of Coverage
Hijack Execution Flow: DLL Search Order Hijacking	Moderate
Modify Registry	Moderate

Analytic Code

(("reg "AND "add" AND "/d") OR ("Set-ItemProperty" AND "-value")) AND ("Session Manager" AND "SafeDllSearchMode")

Test Cases

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /d 0

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name SafeDllSearchMode -Value 0

Data Model Mappings

Object	Action	Field
process	create	command_line

Developer Certificate of Origin

DCO signed-off-by: Lucas Heiligenstein lucas.heiligenstein@gmail.com

Ptylu commented 2 years ago

Hello, could you please tell me if the format is good. I chose to submit this detection because it was not very complex. I have other detections much more complex than this one that I would like to share if this one is valid.

ikiril01 commented 2 years ago

Hi @luffy68 - this looks good! A few suggestions:

In the description, could you include a short statement around what this (setting SafeDllSearch to 0) enables adversaries to do.
If possible, please submit the analytic in a pull request using our YAML format. You can see more about this here: https://github.com/mitre-attack/car/blob/master/CONTRIBUTING.md#yaml-submissions

Ptylu commented 2 years ago

Hi @ikiril01 , thanks, I will do that today !

mitre-attack / car