Potential Persistence Via TypedPaths

Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt

Sigma rule (View on GitHub)

 1title: Potential Persistence Via TypedPaths
 2id: 086ae989-9ca6-4fe7-895a-759c5544f247
 3status: test
 4description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
 5references:
 6    - https://twitter.com/dez_/status/1560101453150257154
 7    - https://forensafe.com/blogs/typedpaths.html
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-08-22
10modified: 2023-08-17
11tags:
12    - attack.persistence
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\'
19    filter:
20        Image:
21            - 'C:\Windows\explorer.exe'
22            - 'C:\Windows\SysWOW64\explorer.exe'
23    condition: selection and not filter
24falsepositives:
25    - Unlikely
26level: high

References

Related rules

to-top