The hypothesis is that an adversary is attempting to establish persistence by creating a malicious file named ErrorHandler.Cmd, which could be used to execute arbitrary code or maintain long-term access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential persistence mechanisms early in the attack lifecycle.
Detection Rule
title: Potential Persistence Attempt Via ErrorHandler.Cmd
id: 15904280-565c-4b73-9303-3291f964e7f9
status: test
description: |
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
references:
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://github.com/last-byte/PersistenceSniper
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-09
modified: 2022-12-19
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\WINDOWS\Setup\Scripts\ErrorHandler.cmd'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName endswith "\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd"Scenario: Scheduled Job Creation
Description: A legitimate scheduled job (e.g., via Task Scheduler or SQL Server Agent) creates a file named ErrorHandler.Cmd as part of a routine maintenance or error logging process.
Filter/Exclusion: Check for file creation context (e.g., CommandLine contains schtasks or sqlagent), or filter by file path (e.g., C:\Windows\Tasks\ or C:\Program Files\Microsoft SQL Server\).
Scenario: Admin Script Deployment
Description: A system administrator deploys a script using ErrorHandler.Cmd as a placeholder or error-handling mechanism during a software deployment or patching process.
Filter/Exclusion: Filter by user account (e.g., NT AUTHORITY\SYSTEM or DOMAIN\Admins), or check for presence of known deployment tools (e.g., msiexec, setup.exe, or PowerShell.exe).
Scenario: Log File Rotation
Description: A log rotation tool (e.g., logrotate, Windows Event Log cleaner, or third-party log management software) creates a file named ErrorHandler.Cmd as a temporary or error log.
Filter/Exclusion: Check for file path (e.g., C:\Logs\, C:\Temp\, or C:\ProgramData\), or filter by file extension (e.g., .log, .tmp, or .txt).
Scenario: Antivirus Quarantine File
Description: An antivirus or endpoint protection tool quarantines a malicious file and renames it to ErrorHandler.Cmd as part of its quarantine process.
Filter/Exclusion: Check for file metadata (e.g., FileHash matches known quarantine files), or filter by process name (e.g., `Ms