EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potential Persistence Using DebugPath

Detects potential persistence using Appx DebugPath

MITRE ATT&CK

T1546.015
privilege-escalationpersistence

Detection Query

selection_debug:
  TargetObject|contains: Classes\ActivatableClasses\Package\Microsoft.
  TargetObject|endswith: \DebugPath
selection_default:
  TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.
  TargetObject|endswith: \(Default)
condition: 1 of selection_*

Author

frack113

Created

2022-07-27

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.persistenceattack.t1546.015
Raw Content
title: Potential Persistence Using DebugPath
id: df4dc653-1029-47ba-8231-3c44238cc0ae
status: test
description: Detects potential persistence using Appx DebugPath
references:
    - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
    - https://github.com/rootm0s/WinPwnage
author: frack113
date: 2022-07-27
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection_debug:
        TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
        TargetObject|endswith: '\DebugPath'
    selection_default:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
        TargetObject|endswith: '\(Default)'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium