Potential Persistence Using DebugPath

Hunt Hypothesis

Detects potential persistence using Appx DebugPath

Detection Rule

Sigma (Original)

title: Potential Persistence Using DebugPath
id: df4dc653-1029-47ba-8231-3c44238cc0ae
status: test
description: Detects potential persistence using Appx DebugPath
references:
    - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
    - https://github.com/rootm0s/WinPwnage
author: frack113
date: 2022-07-27
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection_debug:
        TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
        TargetObject|endswith: '\DebugPath'
    selection_default:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
        TargetObject|endswith: '\(Default)'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey contains "Classes\\ActivatableClasses\\Package\\Microsoft." and RegistryKey endswith "\\DebugPath") or (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft." and RegistryKey endswith "\\(Default)")

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where (RegistryKey contains "Classes\\ActivatableClasses\\Package\\Microsoft." and RegistryKey endswith "\\DebugPath") or (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft." and RegistryKey endswith "\\(Default)")

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Privilege Escalation
• Tactic: Persistence
• Technique: T1546.015 — T1546.015

References

• https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
• https://github.com/rootm0s/WinPwnage
• SigmaHQ Rule