Potential Persistence Via App Paths Default Property

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1546.012  ·
Share on: linkedin copy

Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via App Paths Default Property
 2id: 707e097c-e20f-4f67-8807-1f72ff4500d6
 3status: test
 4description: |
 5    Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
 6    The entries found under App Paths are used primarily for the following purposes.
 7    First, to map an application's executable file name to that file's fully qualified path.
 8    Second, to prepend information to the PATH environment variable on a per-application, per-process basis.    
 9references:
10    - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
11    - https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-10
14modified: 2023-08-17
15tags:
16    - attack.privilege-escalation
17    - attack.persistence
18    - attack.t1546.012
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection:
24        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths'
25        TargetObject|endswith:
26            - '(Default)'
27            - 'Path'
28        Details|contains:
29            # Add more suspicious paths or binaries as you see fit.
30            - '\Users\Public'
31            - '\AppData\Local\Temp\'
32            - '\Windows\Temp\'
33            - '\Desktop\'
34            - '\Downloads\'
35            - '%temp%'
36            - '%tmp%'
37            - 'iex'
38            - 'Invoke-'
39            - 'rundll32'
40            - 'regsvr32'
41            - 'mshta'
42            - 'cscript'
43            - 'wscript'
44            - '.bat'
45            - '.hta'
46            - '.dll'
47            - '.ps1'
48    condition: selection
49falsepositives:
50    - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
51level: high

References

Related rules

to-top