Potential Persistence Using DebugPath

Severity: medium
Author: frack113
Source: upstream

Detects potential persistence using Appx DebugPath

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1546.015` Event Triggered Execution: Component Object Model Hijacking
Privilege Escalation	`T1546.015` Event Triggered Execution: Component Object Model Hijacking

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `1 of selection_debug`

TargetObject|endswith: '\DebugPath'
TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'

Stage 2: `1 of selection_default`

TargetObject|endswith: '\(Default)'
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`TargetObject`	ends_with	`\(Default)` corpus 2 (sigma 2) `\DebugPath`
`TargetObject`	match	`Classes\ActivatableClasses\Package\Microsoft.` `\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.`