LongPathsEnabled - registry modified
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
LongPathsEnabled - registry modified | Standard | Windows, Sysmon | Persistence: Modify Registry (T1112) | Trouble |
About the rule
Rule Type
Standard
Rule Description
The following analytic detects a modification to the Windows registry setting "LongPathsEnabled, (path: HKLM\SYSTEM\ControlSet001\Control\FileSystem\LongPathsEnabled, value: 0x00000001)" which allows file paths longer than 260 characters. This activity is significant because adversaries, including malware like BlackByte, exploit this setting to bypass file path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise.
Why this rule?
Enabling LongPathsEnabled removes Windows' default 260-character path limit, a restriction that certain malware families — most notably BlackByte ransomware — exploit to deploy payloads in deeply nested directories that evade traditional security scanning. Adversaries modify this registry key to bypass file path limitations, aiding in both defense evasion and persistence. Detecting this change is important because it signals a possible early-stage attack setup and warrants immediate investigation of the modifying process.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access via spear-phishing or brute-forced RDP -> Execution via PowerShell/CMD silent registry write -> Defense Evasion via deeply nested paths bypassing security tools -> Persistence via run key/scheduled task surviving remediation
Impact
Modification of this registry key can enable adversaries to deploy long-path payloads that evade security controls, facilitating persistent access and further compromise of the affected system.
Rule Requirement
Prerequisites
Install Sysmon from Microsoft Sysinternals with registry event monitoring enabled.
Criteria
Action1:
actionname = "Registry Event" AND ( OBJECTNAME contains "Control\FileSystem" ) AND ( OBJECTNAME endswith "LongPathsEnabled" OR OBJECTVALUENAME = "LongPathsEnabled" ) AND ( CHANGES = "1" OR INFORMATION = "DWORD (0x00000001)" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Persistence: Modify Registry (T1112)
Future actions
Known False Positives
Administrators may toggle this feature, which can result in false positives.
Next Steps
- Identification: Identify the specific registry key modification and the process or user account responsible for the change.
- Analysis: Verify whether the modification was made by a legitimate administrator or an unauthorized process, and check for associated suspicious activity.
- Response: Revert the registry key to its original value and investigate any payloads or processes that may have leveraged the long-path capability.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
