Potential Persistence Using DebugPath
Detects potential persistence using Appx DebugPath
Sigma rule (View on GitHub)
1title: Potential Persistence Using DebugPath
2id: df4dc653-1029-47ba-8231-3c44238cc0ae
3status: test
4description: Detects potential persistence using Appx DebugPath
5references:
6 - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
7 - https://github.com/rootm0s/WinPwnage
8author: frack113
9date: 2022-07-27
10modified: 2023-08-17
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1546.015
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection_debug:
20 TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
21 TargetObject|endswith: '\DebugPath'
22 selection_default:
23 TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
24 TargetObject|endswith: '\(Default)'
25 condition: 1 of selection_*
26falsepositives:
27 - Unknown
28level: medium
References
-
TL;DR Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns. Two different approaches exists (registry keys). Listed below are th…
Read More -
UAC bypass, Elevate, Persistence methods. Contribute to rootm0s/WinPwnage development by creating an account on GitHub.
Read More
Related rules
- COM Hijacking via TreatAs
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- Potential COM Object Hijacking Via TreatAs Subkey - Registry
- Potential PSFactoryBuffer COM Hijacking
- Potential Persistence Via Scrobj.dll COM Hijacking