detection.wiki

Detection rules › Sigma

Potential Persistence Via App Paths Default Property

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1546.012 Event Triggered Execution: Image File Execution Options Injection
Privilege EscalationT1546.012 Event Triggered Execution: Image File Execution Options Injection

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection

or:
Details|contains: '%temp%'
Details|contains: '%tmp%'
Details|contains: .bat
Details|contains: .dll
Details|contains: .hta
Details|contains: .ps1
Details|contains: Invoke-
Details|contains: '\AppData\Local\Temp\'
Details|contains: '\Desktop\'
Details|contains: '\Downloads\'
Details|contains: '\Users\Public'
Details|contains: '\Windows\Temp\'
Details|contains: cscript
Details|contains: iex
Details|contains: mshta
Details|contains: regsvr32
Details|contains: rundll32
Details|contains: wscript
or:
TargetObject|endswith: '(Default)'
TargetObject|endswith: Path
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailsmatch
  • %temp% corpus 3 (sigma 3)
  • %tmp% corpus 4 (sigma 4)
  • .bat corpus 2 (sigma 2)
  • .dll corpus 3 (sigma 3)
  • .hta corpus 2 (sigma 2)
  • .ps1
  • Invoke- corpus 2 (sigma 2)
  • \AppData\Local\Temp\ corpus 9 (sigma 9)
  • \Desktop\ corpus 3 (sigma 3)
  • \Downloads\ corpus 2 (sigma 2)
  • \Users\Public
  • \Windows\Temp\ corpus 4 (sigma 4)
  • cscript corpus 4 (sigma 4)
  • iex corpus 2 (sigma 2)
  • mshta corpus 4 (sigma 4)
  • regsvr32 corpus 3 (sigma 3)
  • rundll32 corpus 4 (sigma 4)
  • wscript corpus 4 (sigma 4)
TargetObjectends_with
  • (Default) corpus 2 (sigma 2)
  • Path
TargetObjectmatch
  • \SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths