Detectionhightest

Potential Persistence Via App Paths Default Property

Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Aug 10Updated Thu Aug 17707e097c-e20f-4f67-8807-1f72ff4500d6windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths'
        TargetObject|endswith:
            - '(Default)'
            - 'Path'
        Details|contains:
            # Add more suspicious paths or binaries as you see fit.
            - '\Users\Public'
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
            - '\Desktop\'
            - '\Downloads\'
            - '%temp%'
            - '%tmp%'
            - 'iex'
            - 'Invoke-'
            - 'rundll32'
            - 'regsvr32'
            - 'mshta'
            - 'cscript'
            - 'wscript'
            - '.bat'
            - '.hta'
            - '.dll'
            - '.ps1'
    condition: selection