Persistence Via TypedPaths - CommandLine
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
Sigma rule (View on GitHub)
1title: Persistence Via TypedPaths - CommandLine
2id: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba
3status: test
4description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
5references:
6 - https://twitter.com/dez_/status/1560101453150257154
7 - https://forensafe.com/blogs/typedpaths.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/08/22
10tags:
11 - attack.persistence
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths'
18 condition: selection
19falsepositives:
20 - Unknown
21level: medium
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Added Credentials to Existing Application
- Anydesk Remote Access Software Service Installation