Narrator's Feedback-Hub Persistence

Oct 18, 2023 · attack.persistence attack.t1547.001 ·

Detects abusing Windows 10 Narrator's Feedback-Hub

Sigma rule (View on GitHub)

 1title: Narrator's Feedback-Hub Persistence
 2id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
 3status: test
 4description: Detects abusing Windows 10 Narrator's Feedback-Hub
 5references:
 6    - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
 7author: Dmitriy Lifanov, oscd.community
 8date: 2019/10/25
 9modified: 2022/03/26
10tags:
11    - attack.persistence
12    - attack.t1547.001
13logsource:
14    category: registry_event
15    product: windows
16detection:
17    selection1:
18        EventType: DeleteValue
19        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
20    selection2:
21        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
22    # Add the payload in the (Default)
23    condition: 1 of selection*
24falsepositives:
25    - Unknown
26level: high

References

Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

Penetration testing Web, Wireless, Network Security

Read More

Narrator's Feedback-Hub Persistence

Sigma rule (View on GitHub)

References

Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

Related rules