[RTA] Adds RTAs for endpoint rules (#2621)

* [RTA] Adds RTAs for endpoint rules

* Update exec_cscript_archive_args.py

* Review RTAs 1/2

* Update suspicious_msiexec_child.py

* Update rta/exec_cscript_archive_args.py

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

rta/exec_cscript_archive_args.py

@@ -0,0 +1,41 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="4aa158f6-39ed-456f-9d8a-849052cce2f5",
+    platforms=["windows"],
+    endpoint=[
+        {'rule_id': '816e1e39-e1a3-4935-9b7b-18395d244670', 'rule_name': 'Windows Script Execution from Archive File'},
+        {'rule_id': '16c84e67-e5e7-44ff-aefa-4d771bcafc0c', 'rule_name': 'Execution from Unusual Directory'},
+        {'rule_id': '35dedf0c-8db6-4d70-b2dc-a133b808211f', 'rule_name': 'Binary Masquerading via Untrusted Path'},
+        {'rule_id': '23e29d07-7584-465e-8a6d-912d9ea254a6', 'rule_name': 'Suspicious Image Load via Windows Scripts'}
+    ],
+    siem=[],
+    techniques=['T1059', 'T1059.007', 'T1566', 'T1566.001'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+RENAMER = common.get_path("bin", "rcedit-x64.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    cscript = "C:\\Users\\Public\\cscript.exe"
+    rcedit = "C:\\Users\\Public\\rcedit.exe"
+    common.copy_file(EXE_FILE, cscript)
+    common.copy_file(RENAMER, rcedit)
+
+    common.log("Modifying the OriginalFileName attribute")
+    common.execute([rcedit, cscript, "--set-version-string", "OriginalFilename", "cscript.exe"])
+
+    common.execute([cscript, "/c", "echo", "C:\\Users\\A\\Temp\\7zip"], timeout=5, kill=True)
+    common.remove_files(cscript)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/exec_dnguard_program.py

@@ -0,0 +1,43 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="db2e6589-d2df-4d9d-9d88-d91af5fd57e9",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': 'e691d379-6d01-43cc-9f1e-ab10df48a6bc',
+        'rule_name': 'Execution of a DNGUard Protected Program'
+    }],
+    siem=[],
+    techniques=['T1027', 'T1027.002'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    posh = "C:\\Users\\Public\\posh.exe"
+    user32 = "C:\\Windows\\System32\\user32.dll"
+    dll = "C:\\Users\\Public\\HVMRuntm.dll"
+    ps1 = "C:\\Users\\Public\\Invoke-ImageLoad.ps1"
+    common.copy_file(EXE_FILE, posh)
+    common.copy_file(user32, dll)
+    common.copy_file(PS1_FILE, ps1)
+
+    # Execute command
+
+    common.log("Loading DNGUard DLL")
+    common.execute([posh, "-c", f"Import-Module {ps1}; Invoke-ImageLoad {dll}"], timeout=10)
+
+    common.remove_files(posh, dll, ps1)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/exec_java_via_scripting.py

@@ -0,0 +1,49 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+import os
+
+metadata = RtaMetadata(
+    uuid="a3b26c9e-6910-43f7-93b2-84cc777e54f4",
+    platforms=["windows"],
+    endpoint=[
+        {
+            'rule_id': '15b1d979-5be0-4e7f-9202-0c4cfd76b146',
+            'rule_name': 'Suspicious Java Execution via a Windows Script'
+        },
+        {'rule_id': '16c84e67-e5e7-44ff-aefa-4d771bcafc0c', 'rule_name': 'Execution from Unusual Directory'},
+        {'rule_id': '35dedf0c-8db6-4d70-b2dc-a133b808211f', 'rule_name': 'Binary Masquerading via Untrusted Path'},
+        {'rule_id': '23e29d07-7584-465e-8a6d-912d9ea254a6', 'rule_name': 'Suspicious Image Load via Windows Scripts'}
+    ],
+    siem=[],
+    techniques=['T1059', 'T1059.005', 'T1059.007'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(common.WINDOWS)
+def main():
+    path = "C:\\Program Files\\Java\\jrertaendgametest\\bin\\"
+    argpath = "C:\\\"Program Files\"\\Java\\jrertaendgametest\\bin\\Javafake.exe"
+    cscript = "C:\\Users\\Public\\cscript.exe"
+    executable = path + "Javafake.exe"
+
+    if not os.path.exists(path):
+        os.makedirs(path)
+    else:
+        pass
+    common.copy_file(EXE_FILE, cscript)
+    common.copy_file(EXE_FILE, executable)
+
+    # Execute command
+    common.execute([cscript, "/c", argpath, ("iwr google.com -UseBasicParsing -UserAgent "
+                    "'C:\\Users\\Public\\' -SessionVariable '-jar'")], timeout=10)
+    common.remove_files(cscript, executable)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/exec_msiexec_dllregisterserver.py

@@ -0,0 +1,31 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="a37316f1-2828-45d2-85ea-1783bb9b9982",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': 'ed77616c-8f97-472b-bb15-532af004e82a',
+        'rule_name': 'Suspicious DLLRegisterServer Execution via MSIEXEC'
+    }],
+    siem=[],
+    techniques=['T1218', 'T1218.007'],
+)
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    msiexec = "C:\\Windows\\System32\\msiexec.exe"
+
+    common.execute([msiexec, "/z"], timeout=5, kill=True)
+    common.remove_files(msiexec)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/exec_shortcut_embedded_obj.py

@@ -0,0 +1,44 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="32faebaa-b581-464c-bca9-6936fe0948dc",
+    platforms=["windows"],
+    endpoint=[
+        {
+            'rule_id': '8076640d-ec66-4d24-a252-ee2f054e00a1',
+            'rule_name': 'Windows Shortcut File Embedded Object Execution'
+        },
+        {
+            'rule_id': '9fdd772b-b483-404f-bc02-7ec87e332bec',
+            'rule_name': 'Embedded Executable via Windows Shortcut File'
+        }
+    ],
+    siem=[],
+    techniques=['T1059', 'T1059.003', 'T1204', 'T1204.001', 'T1204.002', 'T1566', 'T1566.001', 'T1566.002'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(common.WINDOWS)
+def main():
+    cmd = "C:\\Users\\Public\\cmd.exe"
+    rta = "C:\\Users\\Public\\rta.exe"
+    tempfile = "C:\\Users\\Public\\a.txt"
+    common.copy_file(EXE_FILE, cmd)
+    common.copy_file(EXE_FILE, rta)
+
+    # Execute command
+    common.execute([cmd, "/c", f"Copy-Item {EXE_FILE} '{tempfile}'; echo 'finda.a.lnk >1&'; {rta}"],
+                   kill=True, timeout=10)
+    common.remove_files(cmd, rta, tempfile)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/exec_vs_prebuildevent.py

@@ -0,0 +1,40 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="c4445d28-fe0f-4822-b0b0-92e188a9ca0e",
+    platforms=["windows"],
+    endpoint=[
+        {
+            'rule_id': '74be6307-2d15-4c71-8072-fc606f337a51',
+            'rule_name': 'Execution via MS VisualStudio Pre/Post Build Events'
+        },
+        {'rule_id': '16c84e67-e5e7-44ff-aefa-4d771bcafc0c', 'rule_name': 'Execution from Unusual Directory'},
+        {'rule_id': '35dedf0c-8db6-4d70-b2dc-a133b808211f', 'rule_name': 'Binary Masquerading via Untrusted Path'}
+    ],
+    siem=[],
+    techniques=['T1127', 'T1127.001'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    msbuild = "C:\\Users\\Public\\msbuild.exe"
+    cmd = "C:\\Users\\Public\\cmd.exe"
+    common.copy_file(EXE_FILE, cmd)
+    common.copy_file(EXE_FILE, msbuild)
+
+    common.execute([msbuild, "/c", cmd, "/c", cmd, "echo C:\\Users\\A\\AppData\\Local\\Temp\\tmpa.exec.cmd"],
+                   timeout=10, kill=True)
+    common.remove_files(cmd, msbuild)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/exec_vsls_agent.py

@@ -0,0 +1,35 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="ad0986cb-b5ef-41ad-9b40-8d708dc28844",
+    platforms=["windows"],
+    endpoint=[
+        {
+        'rule_id': 'a5416b1f-fc3f-4162-936d-34086689c3b0',
+        'rule_name': 'DLL Execution via Visual Studio Live Share'
+        }
+    ],
+    siem=[],
+    techniques=['T1218'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    vslsagent = "C:\\Users\\Public\\vsls-agent.exe"
+    common.copy_file(EXE_FILE, vslsagent)
+
+    common.execute([vslsagent, "/c", "echo", "--agentExtensionPath"], timeout=5, kill=True)
+    common.remove_files(vslsagent)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/file_ms_template_macros.py

@@ -0,0 +1,32 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+import os
+
+metadata = RtaMetadata(
+    uuid="858475a2-78a6-40f8-8691-7ce0c631cc0c",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': '608eae71-6797-4ded-bfaa-41bcb17a8498',
+        'rule_name': 'Office Application Startup via Template File Modification'
+    }],
+    siem=[],
+    techniques=['T1137', 'T1137.001'],
+)
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Templates\\"
+    os.makedirs(path, exist_ok=True)
+    file = path + "\\Normal.dotm"
+
+    common.temporary_file_helper("testing", file_name=file)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/file_script_startup_folder.py

@@ -0,0 +1,42 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+import os
+
+metadata = RtaMetadata(
+    uuid="b8dcb997-e099-472e-8f2f-15a80c8dfe1a",
+    platforms=["windows"],
+    endpoint=[
+        {
+            'rule_id': 'dec8781c-ef73-4037-9684-ef28c0322fa4',
+            'rule_name': 'Script File Written to Startup Folder'
+        },
+        {
+            "rule_name": "Unusual File Written or Modified in Startup Folder",
+            "rule_id": "30a90136-7831-41c3-a2aa-1a303c1186ac",
+        }
+    ],
+    siem=[],
+    techniques=['T1547', 'T1547.001'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    proc = "C:\\Users\\Public\\proc.exe"
+    path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup\\"
+    file = path + "\\a.js"
+    common.copy_file(EXE_FILE, proc)
+    os.makedirs(path, exist_ok=True)
+
+    common.execute([proc, "/c", f"Copy-Item {EXE_FILE} {file}"], timeout=10)
+    common.remove_files(proc, file)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/file_susp_browser_extension.py

@@ -0,0 +1,36 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+import os
+
+metadata = RtaMetadata(
+    uuid="edb804d6-85df-4dca-a521-1b6dfee9f354",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': '7df7fca3-8a91-4a54-9799-0478a90ae326',
+        'rule_name': 'Suspicious Browser Files Modification'
+    }],
+    siem=[],
+    techniques=['T1176', 'T1112'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    proc = "C:\\Users\\Public\\proc.exe"
+    path = "C:\\Users\\Public\\AppData\\Roaming\\Mozilla\\Test\\Profiles\\AdefaultA"
+    file = path + "\\extensions.json"
+    common.copy_file(EXE_FILE, proc)
+    os.makedirs(path, exist_ok=True)
+
+    common.execute([proc, "/c", f"Copy-Item {EXE_FILE} {file}"], timeout=10)
+    common.remove_files(proc, file)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/image_load_taskhost.py

@@ -0,0 +1,47 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="9cca3284-848f-483a-9241-48562eee0605",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': '4b4ba027-151f-40e4-99ba-a386735c27e4',
+        'rule_name': 'Unsigned DLL Loaded by Windows Tasks Host'
+    }],
+    siem=[],
+    techniques=['T1053', 'T1053.005'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1")
+RENAMER = common.get_path("bin", "rcedit-x64.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    taskhost1 = "C:\\Users\\Public\\taskhost1.exe"
+    user32 = "C:\\Windows\\System32\\user32.dll"
+    dll = "C:\\Users\\Public\\unsigned.dll"
+    ps1 = "C:\\Users\\Public\\Invoke-ImageLoad.ps1"
+    rcedit = "C:\\Users\\Public\\rcedit.exe"
+    common.copy_file(user32, dll)
+    common.copy_file(EXE_FILE, taskhost1)
+    common.copy_file(PS1_FILE, ps1)
+    common.copy_file(RENAMER, rcedit)
+
+    common.log("Modifying the OriginalFileName attribute")
+    common.execute([rcedit, dll, "--set-version-string", "OriginalFilename", "unsigned.dll"])
+
+    common.log("Loading unsigned DLL into fake taskhost")
+    common.execute([taskhost1, "-c", f"Import-Module {ps1}; Invoke-ImageLoad {dll}"], timeout=10)
+
+    common.remove_files(dll, ps1, rcedit)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/image_load_vaultcli.py

@@ -0,0 +1,45 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="2145af1a-0781-47ab-8d73-2d50e93b5ff7",
+    platforms=["windows"],
+    endpoint=[
+        {'rule_id': '048737fe-80d6-4462-aa80-ffeed853103e', 'rule_name': 'Suspicious Vault Client Image Load'},
+        {'rule_id': '65784f6e-247a-466b-bbfb-cd92024f7e82', 'rule_name': 'Suspicious PowerShell Execution'}
+    ],
+    siem=[],
+    techniques=['T1555', 'T1555.004', 'T1059', 'T1059.001'],
+)
+PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1")
+RENAMER = common.get_path("bin", "rcedit-x64.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+    user32 = "C:\\Windows\\System32\\user32.dll"
+    dll = "C:\\Users\\Public\\vaultcli.dll"
+    ps1 = "C:\\Users\\Public\\Invoke-ImageLoad.ps1"
+    rcedit = "C:\\Users\\Public\\rcedit.exe"
+    common.copy_file(user32, dll)
+    common.copy_file(PS1_FILE, ps1)
+    common.copy_file(RENAMER, rcedit)
+
+    common.log("Modifying the OriginalFileName attribute")
+    common.execute([rcedit, dll, "--set-version-string", "OriginalFilename", "vaultcli.dll"])
+
+    common.log("Loading vaultcli.dll")
+    common.execute([powershell, "-c", f"echo downloadstring; Import-Module {ps1}; Invoke-ImageLoad {dll}"], timeout=10)
+
+    common.remove_files(dll, ps1, rcedit)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/msoffice_addins_file.py

@@ -0,0 +1,34 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+import os
+
+metadata = RtaMetadata(
+    uuid="97979b30-908d-4c57-a33a-f3b78e55a84a",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': 'aaa80718-1ed9-43bd-bcf7-97f2a6c93ea8',
+        'rule_name': 'Persistence via Microsoft Office AddIns'
+    }],
+    siem=[],
+    techniques=['T1137'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Word\\Startup"
+    os.makedirs(path, exist_ok=True)
+    file = path + "\\file.exe"
+
+    common.copy_file(EXE_FILE, file)
+    common.remove_file(file)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/reg_mod_ifeo.py

@@ -0,0 +1,36 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="2bb1016f-b3e9-455d-b665-02a0aafc797a",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': 'ff5fd85a-e770-4e57-8bae-0d267442eb9f',
+        'rule_name': 'Suspicious Image File Execution Options Modification'
+    }],
+    siem=[],
+    techniques=['T1546', 'T1546.012'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    common.log("Temp Registry mod: IFEO")
+
+    key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rta.exe\\"
+    value = "Debugger"
+    data = "Test"
+
+    with common.temporary_reg(common.HKLM, key, value, data):
+        pass
+
+
+if __name__ == "__main__":
+    exit(main())

rta/reg_mod_unusual_startup_folder.py

@@ -0,0 +1,35 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="4ac771ca-5095-4a1b-ac6a-e2b714be8ccc",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': '377aad38-24e0-4dd7-93c2-bd231cb749e3',
+        'rule_name': 'Unusual Startup Shell Folder Modification'
+    }],
+    siem=[],
+    techniques=['T1547', 'T1547.001', 'T1112'],
+)
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    common.log("Temp Registry mod: Common Startup Folder")
+
+    key = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders"
+    value = "Common Startup"
+    data = "Test"
+
+    with common.temporary_reg(common.HKLM, key, value, data):
+        pass
+
+
+if __name__ == "__main__":
+    exit(main())

rta/suspicious_msiexec_child.py

@@ -0,0 +1,40 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="2cefb7c2-5ffc-4410-a63c-bded93b258c3",
+    platforms=["windows"],
+    endpoint=[
+        {
+            'rule_id': '877c6bd9-8df1-4a15-aa97-2a091731b15d',
+            'rule_name': 'Suspicious MsiExec Child Process'
+        },
+        {'rule_id': '16c84e67-e5e7-44ff-aefa-4d771bcafc0c', 'rule_name': 'Execution from Unusual Directory'},
+        {'rule_id': '35dedf0c-8db6-4d70-b2dc-a133b808211f', 'rule_name': 'Binary Masquerading via Untrusted Path'},
+        {'rule_id': '5db08297-bf72-49f4-b426-f405c2b01326', 'rule_name': 'Regsvr32 with Unusual Arguments'}
+    ],
+    siem=[],
+    techniques=['T1218', 'T1218.007'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    msiexec = "C:\\Users\\Public\\msiexec.exe"
+    regsvr32 = "C:\\Users\\Public\\regsvr32.exe"
+    common.copy_file(EXE_FILE, msiexec)
+    common.copy_file(EXE_FILE, regsvr32)
+
+    common.execute([msiexec, "/c", regsvr32, "echo", "scrobj.dll"], timeout=5, kill=True)
+    common.remove_files(msiexec)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/uac_windir_masq.py

@@ -0,0 +1,33 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="3b8454af-db6b-4d4c-92c6-89ca7b6640f1",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': 'adaf95d2-28ce-4880-af16-f3041b624440',
+        'rule_name': 'UAC Bypass Attempt via Windows Directory Masquerading'
+    }],
+    siem=[],
+    techniques=['T1548', 'T1548.002'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    proc = "C:\\Users\\Public\\proc.exe"
+    common.copy_file(EXE_FILE, proc)
+
+    common.execute([proc, "/c", "echo", "C:\\Windows \\System32\\a.exe"], timeout=5, kill=True)
+    common.remove_files(proc)
+
+
+if __name__ == "__main__":
+    exit(main())

rta/unusual_parent_chrome_extension.py

@@ -0,0 +1,35 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="9e31b8ae-c0a6-46c9-9634-d1aebceea541",
+    platforms=["windows"],
+    endpoint=[{
+        'rule_id': 'd7fda3d7-fe77-49c2-8b50-d28a6da206c4',
+        'rule_name': 'Chromium Extension Loaded from Unusual Parent'
+    }],
+    siem=[],
+    techniques=['T1176'],
+)
+EXE_FILE = common.get_path("bin", "renamed_posh.exe")
+
+
+@common.requires_os(metadata.platforms)
+def main():
+    proc = "C:\\Users\\Public\\proc.exe"
+    childproc = "C:\\Users\\Public\\childproc.exe"
+    common.copy_file(EXE_FILE, proc)
+    common.copy_file(EXE_FILE, childproc)
+
+    common.execute([proc, "/c", "echo", f"--load-extension; & {childproc}"], timeout=5, kill=True)
+    common.remove_files(childproc, proc)
+
+
+if __name__ == "__main__":
+    exit(main())