← Back to SOC feed Coverage →

Persistence Via TypedPaths - CommandLine

sigma MEDIUM SigmaHQ
imProcessCreate
persistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-18T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects modification addition to the ‘TypedPaths’ key in the user or admin registry via the commandline. Which might indicate persistence attempt

Detection Rule

Sigma (Original)

title: Persistence Via TypedPaths - CommandLine
id: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba
status: test
description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
references:
    - https://twitter.com/dez_/status/1560101453150257154
    - https://forensafe.com/blogs/typedpaths.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
tags:
    - attack.persistence
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml