Potential Persistence Via TypedPaths
Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
Sigma rule (View on GitHub)
1title: Potential Persistence Via TypedPaths
2id: 086ae989-9ca6-4fe7-895a-759c5544f247
3status: experimental
4description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
5references:
6 - https://twitter.com/dez_/status/1560101453150257154
7 - https://forensafe.com/blogs/typedpaths.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/08/22
10modified: 2023/08/17
11tags:
12 - attack.persistence
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\'
19 filter:
20 Image:
21 - 'C:\Windows\explorer.exe'
22 - 'C:\Windows\SysWOW64\explorer.exe'
23 condition: selection and not filter
24falsepositives:
25 - Unlikely
26level: high
References
-
-
Investigating Typed Paths 11/10/2021 Monday TypedPaths is a Windows Registry key that records the last 25 paths typed or inserted into the path bar of File Explorer (previously known as Windows Exp...
Read More
Related rules
- Add Debugger Entry To AeDebug For Persistence
- Add Debugger Entry To Hangs Key For Persistence
- Bypass UAC Using Event Viewer
- COM Hijacking via TreatAs
- Classes Autorun Keys Modification