Suspicious Modification of Service ImagePath for ClipUp Defender Evasion

Rule Info

Name
Suspicious Modification of Service ImagePath for ClipUp Defender Evasion
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects registry modifications that set the ImagePath of a service to execute ClipUp.exe with Protected Process Light (PPL) parameters targeting Windows Defender locations. This technique is used by attackers to replace the Windows Defender service executable before it initializes, effectively bypassing security protections. The approach leverages CreateProcessAsPPL.exe to obtain PPL privileges, which normally protect security software from tampering.
Reference
https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
Date
2026-01-29 00:00:00
Modified
None
Id
ae8f85a3-c3e8-4d1f-9a51-2b3fba56d1c1
Tags
attack.defense-evasion attack.privilege-escalation attack.t1562.001 attack.t1068
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022