Narrator's Feedback-Hub Persistence

Severity: high
Author: Dmitriy Lifanov, oscd.community
Source: upstream

Detects abusing Windows 10 Narrator's Feedback-Hub

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation	`T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

Provider	Event ID	Title
Sysmon	12	RegistryEvent (Object create and delete)
Sysmon	13	RegistryEvent (Value Set)
Sysmon	14	RegistryEvent (Key and Value Rename)

Stages and Predicates

Stage 1: `1 of selection1`

EventType: DeleteValue
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'

Stage 2: `1 of selection2`

TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventType`	eq	`DeleteValue` corpus 5 (sigma 4, splunk 1)
`TargetObject`	ends_with	`\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)` `\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute`