Detects changes to the “Default” property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under
title: Potential Persistence Via App Paths Default Property
id: 707e097c-e20f-4f67-8807-1f72ff4500d6
status: test
description: |
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
The entries found under App Paths are used primarily for the following purposes.
First, to map an application's executable file name to that file's fully qualified path.
Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
references:
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-10
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.012
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths'
TargetObject|endswith:
- '(Default)'
- 'Path'
Details|contains:
# Add more suspicious paths or binaries as you see fit.
- '\Users\Public'
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
- '\Desktop\'
- '\Downloads\'
- '%temp%'
- '%tmp%'
- 'iex'
- 'Invoke-'
- 'rundll32'
- 'regsvr32'
- 'mshta'
- 'cscript'
- 'wscript'
- '.bat'
- '.hta'
- '.dll'
- '.ps1'
condition: selection
falsepositives:
- Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
level: high
imRegistry
| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" and (RegistryKey endswith "(Default)" or RegistryKey endswith "Path") and (RegistryValueData contains "\\Users\\Public" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-" or RegistryValueData contains "rundll32" or RegistryValueData contains "regsvr32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains ".bat" or RegistryValueData contains ".hta" or RegistryValueData contains ".dll" or RegistryValueData contains ".ps1")DeviceRegistryEvents
| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" and (RegistryKey endswith "(Default)" or RegistryKey endswith "Path") and (RegistryValueData contains "\\Users\\Public" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-" or RegistryValueData contains "rundll32" or RegistryValueData contains "regsvr32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains ".bat" or RegistryValueData contains ".hta" or RegistryValueData contains ".dll" or RegistryValueData contains ".ps1")| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |