Detection rules › Sigma
Registry Modification of MS-settings Protocol Handler
Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
MITRE ATT&CK coverage
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_reg_img
or:
Image|endswith: '\reg.exe'
OriginalFileName: reg.exe
Stage 2: all of selection_reg_cli
CommandLine|contains: add
Stage 3: all of selection_pwsh_img
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: powershell.exe
OriginalFileName: pwsh.dll
Stage 4: all of selection_pwsh_cli
or:
CommandLine|contains: New-ItemProperty
CommandLine|contains: Set-ItemProperty
CommandLine|contains: 'ni '
CommandLine|contains: 'sp '
Stage 5: selection_cli_key
CommandLine|contains: '\ms-settings\shell\open\command'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|