Potential Persistence Via App Paths Default Property

 1title: Potential Persistence Via App Paths Default Property
 2id: 707e097c-e20f-4f67-8807-1f72ff4500d6
 3status: experimental
 4description: |
 5    Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
 6    The entries found under App Paths are used primarily for the following purposes.
 7    First, to map an application's executable file name to that file's fully qualified path.
 8    Second, to prepend information to the PATH environment variable on a per-application, per-process basis.    
 9references:
10    - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
11    - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022/08/10
14modified: 2023/08/17
15tags:
16    - attack.persistence
17    - attack.t1546.012
18logsource:
19    category: registry_set
20    product: windows
21detection:
22    selection:
23        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths'
24        TargetObject|endswith:
25            - '(Default)'
26            - 'Path'
27        Details|contains:
28            # Add more suspicious paths or binaries as you see fit.
29            - '\Users\Public'
30            - '\AppData\Local\Temp\'
31            - '\Windows\Temp\'
32            - '\Desktop\'
33            - '\Downloads\'
34            - '%temp%'
35            - '%tmp%'
36            - 'iex'
37            - 'Invoke-'
38            - 'rundll32'
39            - 'regsvr32'
40            - 'mshta'
41            - 'cscript'
42            - 'wscript'
43            - '.bat'
44            - '.hta'
45            - '.dll'
46            - '.ps1'
47    condition: selection
48falsepositives:
49    - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
50level: high