Detection rules › Sigma

Shell Context Menu Command Tampering

Status
test
Severity
low
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: Shell Context Menu Command Tampering
id: 868df2d1-0939-4562-83a7-27408c4a1ada
status: test
description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
references:
    - https://mrd0x.com/sentinelone-persistence-via-menu-context/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-06
tags:
    - attack.persistence
    - detection.threat-hunting
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\Software\Classes\'
            - '\shell\'
            - '\command\'
    condition: selection
falsepositives:
    - Likely from new software installation suggesting to add context menu items. Such as "PowerShell", "Everything", "Git", etc.
level: low

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    TargetObject|contains|all:
        - '\Software\Classes\'
        - '\shell\'
        - '\command\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetObjectmatch
  • \Software\Classes\
  • \command\
  • \shell\