CAR Analytic Submission - T1574.001 - Creation of SafeDllSearchMode
Ptylu opened this issue · comments
Creation of SafeDllSearchMode
Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order.
ATT&CK Coverage
| Technique | Level of Coverage |
|---|---|
| Hijack Execution Flow: DLL Search Order Hijacking | Moderate |
| Modify Registry | Moderate |
Analytic Code
(("reg "AND "add" AND "/d") OR ("Set-ItemProperty" AND "-value")) AND ("Session Manager" AND "SafeDllSearchMode")
Test Cases
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /d 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name SafeDllSearchMode -Value 0
Data Model Mappings
| Object | Action | Field |
|---|---|---|
| process | create | command_line |
Developer Certificate of Origin
DCO signed-off-by: Lucas Heiligenstein lucas.heiligenstein@gmail.com
Hello, could you please tell me if the format is good. I chose to submit this detection because it was not very complex. I have other detections much more complex than this one that I would like to share if this one is valid.
Hi @Luffy68 - this looks good! A few suggestions:
- In the description, could you include a short statement around what this (setting SafeDllSearch to 0) enables adversaries to do.
- If possible, please submit the analytic in a pull request using our YAML format. You can see more about this here: https://github.com/mitre-attack/car/blob/master/CONTRIBUTING.md#yaml-submissions