Detection rules › Sigma
Registry Tampering by Potentially Suspicious Processes
Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.005 Command and Scripting Interpreter: Visual Basic |
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 12 | RegistryEvent (Object create and delete) |
| Sysmon | 13 | RegistryEvent (Value Set) |
| Sysmon | 14 | RegistryEvent (Key and Value Rename) |
Stages and Predicates
Stage 1: selection
or:
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\wscript.exe'
Stage 2: not 1 of filter_main_legit_wscript
or:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\'
TargetObject|contains: 'Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\'
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\'
TargetObject|contains: '\Services\bam\State\UserSettings\S-1-'
Image|endswith: '\wscript.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
TargetObject | match |
|