Detection rules › Sigma
User Shell Folders Registry Modification via CommandLine
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry, T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Defense Evasion | T1112 Modify Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\reg.exe'
OriginalFileName: powershell.exe
OriginalFileName: pwsh.dll
OriginalFileName: reg.exe
Stage 2: all of selection_cli_action
or:
CommandLine|contains: ' add '
CommandLine|contains: New-ItemProperty
CommandLine|contains: Set-ItemProperty
CommandLine|contains: 'si '
Stage 3: all of selection_cli_paths_root
or:
CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Stage 4: all of selection_cli_paths_suffix
CommandLine|contains: Startup
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|