Techniques
Sample rules
Suspicious Shell Open Command Registry Modification
- source: sigma
- technicques:
- t1546
- t1546.001
- t1548
- t1548.002
Description
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
Generally, modifications to the *\shell\open\command registry key can indicate an attempt to change the default action for opening files,
and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
Detection logic
condition: selection
selection:
Details|contains:
- \$Recycle.Bin\
- \AppData\Local\Temp\
- \Contacts\
- \Music\
- \PerfLogs\
- \Photos\
- \Pictures\
- \Users\Public\
- \Videos\
- \Windows\Temp\
- '%AppData%'
- '%LocalAppData%'
- '%Temp%'
- '%tmp%'
TargetObject|contains: \shell\open\command\