many legitimate applications can register a new custom protocol handler. additional filters needs to applied according to your environment.

t1112
windows
sigma

Techniques

t1112

Sample rules

Potential Persistence Via Custom Protocol Handler

source: sigma
technicques:
- t1112

Description

Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_generic_locations:
  Image|startswith:
  - C:\Program Files (x86)
  - C:\Program Files\
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
filter_main_ms_trusted:
  Details|startswith: URL:ms-
selection:
  Details|startswith: 'URL:'
  TargetObject|startswith: HKCR\