Persistence Via TypedPaths - CommandLine
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
Sigma rule (View on GitHub)
1title: Persistence Via TypedPaths - CommandLine
2id: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba
3status: test
4description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
5references:
6 - https://twitter.com/dez_/status/1560101453150257154
7 - https://forensafe.com/blogs/typedpaths.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-08-22
10tags:
11 - attack.persistence
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths'
18 condition: selection
19falsepositives:
20 - Unknown
21level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Investigating Typed Paths 11/10/2021 Monday TypedPaths is a Windows Registry key that records the last 25 paths typed or inserted into the path bar of File Explorer (previously known as Windows Exp...
Read More
Related rules
- AWS ECS Task Definition That Queries The Credential Endpoint
- AWS ElastiCache Security Group Created
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Activity From Anonymous IP Address