Registry Persistence Mechanisms in Recycle Bin

Severity: high
Author: frack113
Source: upstream

Detects persistence registry keys for Recycle Bin

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1547` Boot or Logon Autostart Execution
Privilege Escalation	`T1547` Boot or Logon Autostart Execution

Event coverage

Provider	Event ID	Title
Sysmon	12	RegistryEvent (Object create and delete)
Sysmon	13	RegistryEvent (Value Set)
Sysmon	14	RegistryEvent (Key and Value Rename)

Stages and Predicates

Stage 1: `1 of selection_create`

EventType: RenameKey
NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open'

Stage 2: `1 of selection_set`

EventType: SetValue
TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventType`	eq	`RenameKey` `SetValue` corpus 3 (sigma 3)
`NewName`	match	`\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open`
`TargetObject`	match	`\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)`