Detection rules › Sigma

Registry Modification of MS-settings Protocol Handler

Status
test
Severity
medium
Author
frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.

MITRE ATT&CK coverage

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Registry Modification of MS-settings Protocol Handler
id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
related:
    - id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
      type: similar
status: test
description: |
    Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
    Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548.002
    - attack.t1546.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_pwsh_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
    selection_reg_cli:
        CommandLine|contains: 'add'
    selection_pwsh_cli:
        CommandLine|contains:
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'ni '
            - 'sp '
    selection_cli_key:
        CommandLine|contains: '\ms-settings\shell\open\command'
    condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key
falsepositives:
    - Unknown
level: medium

Stages and Predicates

Stage 0: condition

(all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key

Stage 1: selection_reg_img

selection_reg_img:
    - Image|endswith: '\reg.exe'
    - OriginalFileName: 'reg.exe'

Stage 2: selection_reg_cli

selection_reg_cli:
    CommandLine|contains: 'add'

Stage 3: selection_pwsh_img

selection_pwsh_img:
    - Image|endswith:
          - '\powershell.exe'
          - '\pwsh.exe'
    - OriginalFileName:
          - 'powershell.exe'
          - 'pwsh.dll'

Stage 4: selection_pwsh_cli

selection_pwsh_cli:
    CommandLine|contains:
        - 'New-ItemProperty'
        - 'Set-ItemProperty'
        - 'ni '
        - 'sp '

Stage 5: selection_cli_key

selection_cli_key:
    CommandLine|contains: '\ms-settings\shell\open\command'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • New-ItemProperty corpus 7 (sigma 7)
  • Set-ItemProperty corpus 7 (sigma 7)
  • \ms-settings\shell\open\command
  • add corpus 36 (sigma 28, splunk 4, chronicle 2, kusto 2)
  • ni corpus 2 (sigma 2)
  • sp corpus 2 (sigma 2)
Imageends_with
  • \powershell.exe corpus 186 (sigma 186)
  • \pwsh.exe corpus 172 (sigma 172)
  • \reg.exe corpus 60 (sigma 60)
OriginalFileNameeq
  • powershell.exe corpus 121 (sigma 85, splunk 30, elastic 6)
  • pwsh.dll corpus 112 (sigma 79, splunk 30, elastic 3)
  • reg.exe corpus 42 (sigma 32, splunk 8, elastic 2)