Add 38 new registry-based persistence techniques (#954)

* Add 38 new registry-based persistence techniques

* fix hhctrl com hijack match statement

* fix core_profiler_path rule

* remove optional from disk cleanup handler rule

* update dotnet_startup_hooks

* improve filter handler rule

* update persist via PATH

* merge task schedule persistence with existing rule

* update UserInitMprLogonScript rule

* merge universal app uri with default file association; add better reference

Author: jorik-utwente

nursery/persist-via-aedebug-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via AeDebug registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Windows NT\\CurrentVersion\\AeDebug/i
+      - string: /Debugger/i

nursery/persist-via-amsi-registry-key.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: persist via AMSI registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\AMSI\\Providers\\/i

nursery/persist-via-app-paths-registry-key.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: persist via App paths registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007]
+    references:
+      - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Windows\\CurrentVersion\\App Paths\\/i

nursery/persist-via-appcertdlls-registry-key.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: persist via AppCertDlls registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::AppCert DLLs [T1546.009]
+    references:
+      - https://skanthak.hier-im-netz.de/appcert.html
+  features:
+    - and:
+      - match: set registry value
+      - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\AppCertDlls/i

nursery/persist-via-appx-registry-key.yml

@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: persist via AppX registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
+  features:
+    - and:
+      - match: set registry value
+      - or:
+        - string: /Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\/i
+        - and:
+          - string: /ActivatableClasses\\Package\\/i
+          - string: /DebugInformation/i
+          - string: /DebugPath/i

nursery/persist-via-autodialdll-registry-key.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: persist via AutodialDLL registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/rras/autodial-connection-operations
+      - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
+  features:
+    - and:
+      - match: set registry value
+      - string: /System\\(CurrentControlSet|ControlSet001)\\Services\\WinSock2\\Parameters/i
+      - string: /AutodialDLL/i

nursery/persist-via-autoplayhandlers-registry-key.yml

@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: persist via AutoplayHandlers registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/shell/how-to-register-a-handler-for-a-device-event
+      - https://www.hexacorn.com/blog/2019/09/07/beyond-good-ol-run-key-part-114/
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoplayHandlers\\Handlers\\/i
+      - or:
+        - string: /Action/i
+        - string: /Provider/i
+        - string: /InitCmd/i

nursery/persist-via-bootverificationprogram-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via BootVerificationProgram registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution [T1547]
+    references:
+      - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
+  features:
+    - and:
+      - match: set registry value
+      - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\BootVerificationProgram/i
+      - string: /ImagePath/i

nursery/persist-via-code-signing-registry-key.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: persist via Code signing registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf
+  features:
+    - and:
+      - match: set registry value
+      - and:
+        - string: /Microsoft\\Cryptography\\OID\\/i
+        - string: /^Dll$/i

nursery/persist-via-com-hijack.yml

@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: persist via COM hijack
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015]
+    references:
+      - https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/
+      - https://stmxcsr.com/persistence/com-hijacking.html
+  features:
+    - and:
+      - match: set registry value
+      - or:
+        - string: /Classes\\CLSID/i
+        - string: /Classes\\WOW6432Node\\CLSID/i
+      - or:
+        - string: /InProcServer32/i
+        - string: /LocalServer32/i

nursery/persist-via-command-processor-registry-key.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: persist via Command Processor registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433
+  features:
+    - and:
+      - match: set registry value
+      - and:
+        - string: /Microsoft\\Command Processor/i
+        - string: /AutoRun/i

nursery/persist-via-contextmenuhandlers-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via ContextMenuHandlers registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://pentestlab.blog/2023/03/13/persistence-context-menu/
+      - https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html
+  features:
+    - and:
+      - match: set registry value
+      - string: /\\shellex\\ContextMenuHandlers\\/i

nursery/persist-via-cor_profiler_path-registry-value.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via COR_PROFILER_PATH registry value
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow::COR_PROFILER [T1574.012]
+    references:
+      - https://redcanary.com/blog/threat-detection/cor_profiler-for-persistence/
+  features:
+    - and:
+      - match: set registry value
+      - string: /Environment/i
+      - string: /COR_PROFILER_PATH/i

nursery/persist-via-default-file-association-registry-key.yml

@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: persist via default file association registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Change Default File Association [T1546.001]
+    references:
+      - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/default-file-association
+      - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
+  features:
+    - and:
+      - match: set registry value
+      - or:
+        - string: /\\shell\\open\\command/i
+        - string: /\\shell\\print\\command/i
+        - string: /\\shell\\printto\\command/i

nursery/persist-via-disk-cleanup-handler-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via Disk Cleanup Handler registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
+      - https://learn.microsoft.com/en-us/windows/win32/lwef/disk-cleanup
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\/i

nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via .NET DbgManagedDebugger registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2022
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\.NETFramework/i
+      - string: /DbgManagedDebugger/i

nursery/persist-via-dotnet_startup_hooks-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via DOTNET_STARTUP_HOOKS registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow::DLL Side-Loading [T1574.002]
+    references:
+      - https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md
+  features:
+    - and:
+      - match: set registry value
+      - string: /Environment/i
+      - string: /DOTNET_STARTUP_HOOKS/i

nursery/persist-via-explorer-tools-registry-key.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: persist via Explorer tools registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\/i

nursery/persist-via-filter-handlers-registry-key.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: persist via Filter Handlers registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-about
+  features:
+    - and:
+      - match: set registry value
+      - or:
+        - string: /\\\..*\\PersistentHandler/i
+        - string: /CLSID\\.*\\PersistentHandler/i

nursery/persist-via-group-policy-registry-key.yml

@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: persist via Group Policy registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution [T1547]
+    references:
+      - None
+  features:
+    - and:
+      - match: set registry value
+      - and:
+        - or:
+          - string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\.*?\\.*/i
+          - string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\.*?\\.*/i
+        - string: /^Script$/i

nursery/persist-via-hhctrl-com-hijack.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: persist via hhctrl COM hijack
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow [T1574]
+    references:
+      - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
+  features:
+    - and:
+      - match: persist via COM hijack
+      - string: /{52A2AAAE-085D-4187-97EA-8C30DB990436}/i

nursery/persist-via-htmlhelp-author-registry-key.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: persist via HtmlHelp Author registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow [T1574]
+    references:
+      - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
+  features:
+    - and:
+      - match: set registry value
+      - and:
+        - string: /Software\\Microsoft\\HtmlHelp Author/i
+        - string: /location/i

nursery/persist-via-image-file-execution-options-registry-key.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: persist via Image File Execution Options registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution::Image File Execution Options Injection [T1546.012]
+    references:
+      - https://www.malwarebytes.com/blog/101/2015/12/an-introduction-to-image-file-execution-options
+      - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\/i
+      - string: /Debugger/i

nursery/persist-via-lsa-registry-key.yml

@@ -0,0 +1,28 @@
+rule:
+  meta:
+    name: persist via LSA registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Authentication Package [T1547.002]
+      - Persistence::Boot or Logon Autostart Execution::Security Support Provider [T1547.005]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/secauthn/authentication-packages
+      - https://learn.microsoft.com/en-us/windows/win32/secmgmt/password-filters
+  features:
+    - and:
+      - match: set registry value
+      - or:
+        - and:
+          - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Lsa/i
+          - or:
+            - string: /Authentication Packages/i
+            - string: /Notification packages/i
+            - string: /Security Packages/i
+        - and:
+          - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\LsaExtensionConfig\\LsaSrv/i
+          - string: /Extensions/i

nursery/persist-via-natural-language-registry-key.yml

@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via Natural Language registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution [T1547]
+    references:
+      - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
+  features:
+    - and:
+      - match: set registry value
+      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\ContentIndex\\Language\\/i
+      - or:
+        - string: /StemmerDLLPathOverride/i
+        - string: /WBDLLPathOverride/i

nursery/persist-via-netsh-registry-key.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: persist via Netsh registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Netsh/i

nursery/persist-via-network-provider-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via Network provider registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Modify Authentication Process::Network Provider DLL [T1556.008]
+    references:
+      - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
+  features:
+    - and:
+      - match: set registry value
+      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\.*\\NetworkProvider/i
+      - string: /ProviderPath/i

nursery/persist-via-path-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via PATH registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007]
+    references:
+      - https://attack.mitre.org/techniques/T1574/007/
+  features:
+    - and:
+      - match: set registry value
+      - string: /Environment/i
+      - string: /^PATH$/i

nursery/persist-via-print-monitors-registry-key.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: persist via Print Monitors registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Port Monitors [T1547.010]
+    references:
+      - https://stmxcsr.com/persistence/print-monitor.html
+      - https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
+  features:
+    - and:
+      - match: set registry value
+      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Monitors\\/i
+      - string: /^Driver$/i

nursery/persist-via-rdp-startup-programs-registry-key.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: persist via RDP startup programs registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside
+      - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
+  features:
+    - and:
+      - match: set registry value
+      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Terminal Server\\Wds\\rdpwd/i
+      - string: /^StartupPrograms$/i

nursery/persist-via-silentprocessexit-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via SilentProcessExit registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\.*/i
+      - string: /^MonitorProcess$/i

nursery/persist-via-telemetrycontroller-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via TelemetryController registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Scheduled Task/Job [T1053]
+    references:
+      - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\/i
+      - string: /^Command$/i

nursery/persist-via-timeproviders-registry-key.yml

@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: persist via TimeProviders registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Time Providers [T1547.003]
+    references:
+      - https://stmxcsr.com/persistence/time-provider.html
+      - https://learn.microsoft.com/en-us/windows/win32/sysinfo/time-provider?redirectedfrom=MSDN
+  features:
+    - and:
+      - match: set registry value
+      - string: /System\\(CurrentControlSet|ControlSet001)\\Services\\W32Time\\TimeProviders\\/i
+      - string: /^DllName$/i

nursery/persist-via-ts-initialprogram-registry-key.yml

@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: persist via TS InitialProgram registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://persistence-info.github.io/Data/tsinitialprogram.html
+  features:
+    - and:
+      - match: set registry value
+      - or:
+        - string: /\\Policies\\Microsoft\\Windows NT\\Terminal Services/i
+        - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Terminal Server\\WinStations\\RDP-Tcp/i
+      - string: /^InitialProgram$/i

nursery/persist-via-userinitmprlogonscript-registry-value.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via UserInitMprLogonScript registry value
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Boot or Logon Initialization Scripts::Logon Script (Windows) [T1037.001]
+    references:
+      - https://attack.mitre.org/techniques/T1037/001/
+  features:
+    - and:
+      - match: set registry value
+      - string: /Environment/i
+      - string: /UserInitMprLogonScript/i

nursery/persist-via-windows-error-reporting-registry-key.yml

@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: persist via Windows Error Reporting registry key
+    namespace: persistence/registry
+    authors:
+      - j.j.vannielen@utwente.nl
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Persistence::Event Triggered Execution [T1546]
+    references:
+      - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
+  features:
+    - and:
+      - match: set registry value
+      - string: /Microsoft\\Windows\\Windows Error Reporting\\Hangs/i
+      - string: /Debugger/i

persistence/scheduled-tasks/schedule-task-via-schtasks.yml

@@ -4,18 +4,29 @@ rule:
     namespace: persistence/scheduled-tasks
     authors:
       - 0x534a@mailbox.org
+      - j.j.vannielen@utwente.nl
     scopes:
       static: function
       dynamic: call
     att&ck:
       - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
+      - https://stmxcsr.com/persistence/scheduled-tasks.html
     examples:
       - 79cde1aa711e321b4939805d27e160be:0x401440
   features:
-    - and:
-      - match: host-interaction/process/create
-      - or:
-        - and:
-          - string: /schtasks/i
-          - string: /\/create /i
-        - string: /Register-ScheduledTask /i
+    - or:
+      - and:
+        - match: set registry value
+        - string: /Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\/i
+        - string: /^Actions$/i
+      - and:
+        - match: host-interaction/process/create
+        - or:
+          - and:
+            - string: /schtasks/i
+            - or:
+              - string: /\/change/i
+              - string: /\/create/i
+          - string: /Register-ScheduledTask /i