Potential Persistence Using DebugPath

Detects potential persistence using Appx DebugPath

Sigma rule (View on GitHub)

 1title: Potential Persistence Using DebugPath
 2id: df4dc653-1029-47ba-8231-3c44238cc0ae
 3status: test
 4description: Detects potential persistence using Appx DebugPath
 5references:
 6    - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
 7    - https://github.com/rootm0s/WinPwnage
 8author: frack113
 9date: 2022-07-27
10modified: 2023-08-17
11tags:
12    - attack.persistence
13    - attack.t1546.015
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection_debug:
19        TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
20        TargetObject|endswith: '\DebugPath'
21    selection_default:
22        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
23        TargetObject|endswith: '\(Default)'
24    condition: 1 of selection_*
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top