Potential Persistence Using DebugPath
Detects potential persistence using Appx DebugPath
Sigma rule (View on GitHub)
1title: Potential Persistence Using DebugPath
2id: df4dc653-1029-47ba-8231-3c44238cc0ae
3status: experimental
4description: Detects potential persistence using Appx DebugPath
5references:
6 - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
7 - https://github.com/rootm0s/WinPwnage
8author: frack113
9date: 2022/07/27
10modified: 2023/08/17
11tags:
12 - attack.persistence
13 - attack.t1546.015
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection_debug:
19 TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
20 TargetObject|endswith: '\DebugPath'
21 selection_default:
22 TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
23 TargetObject|endswith: '\(Default)'
24 condition: 1 of selection_*
25falsepositives:
26 - Unknown
27level: medium
References
-
TL;DR Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns. Two different approaches exists (registry keys). Listed below are th…
Read More -
UAC bypass, Elevate, Persistence methods. Contribute to rootm0s/WinPwnage development by creating an account on GitHub.
Read More
Related rules
- COM Hijacking via TreatAs
- Potential PSFactoryBuffer COM Hijacking
- Potential Persistence Via Scrobj.dll COM Hijacking
- SOURGUM Actor Behaviours
- Rundll32 Registered COM Objects