Narrator's Feedback-Hub Persistence

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1547.001 ·

Detects abusing Windows 10 Narrator's Feedback-Hub

Sigma rule (View on GitHub)

 1title: Narrator's Feedback-Hub Persistence
 2id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
 3status: test
 4description: Detects abusing Windows 10 Narrator's Feedback-Hub
 5references:
 6    - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
 7author: Dmitriy Lifanov, oscd.community
 8date: 2019-10-25
 9modified: 2022-03-26
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.t1547.001
14logsource:
15    category: registry_event
16    product: windows
17detection:
18    selection1:
19        EventType: DeleteValue
20        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
21    selection2:
22        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
23    # Add the payload in the (Default)
24    condition: 1 of selection*
25falsepositives:
26    - Unknown
27level: high

References

Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

Penetration testing Web, Wireless, Network Security

Read More

Narrator's Feedback-Hub Persistence

Sigma rule (View on GitHub)

References

Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

Related rules