Narrator's Feedback-Hub Persistence
Detects abusing Windows 10 Narrator's Feedback-Hub
Sigma rule (View on GitHub)
1title: Narrator's Feedback-Hub Persistence
2id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
3status: test
4description: Detects abusing Windows 10 Narrator's Feedback-Hub
5references:
6 - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
7author: Dmitriy Lifanov, oscd.community
8date: 2019-10-25
9modified: 2022-03-26
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1547.001
14logsource:
15 category: registry_event
16 product: windows
17detection:
18 selection1:
19 EventType: DeleteValue
20 TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
21 selection2:
22 TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
23 # Add the payload in the (Default)
24 condition: 1 of selection*
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- File Creation In Suspicious Directory By Msdt.EXE
- Forest Blizzard APT - Custom Protocol Handler Creation
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
- Kapeka Backdoor Autorun Persistence
- Leviathan Registry Key Activity