Techniques
Sample rules
Registry Modification Attempt Via VBScript - PowerShell
- source: sigma
- technicques:
- t1059
- t1059.005
- t1112
Description
Detects attempts to modify the registry using VBScript’s CreateObject(“Wscript.shell”) and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell’s native registry cmdlets.
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- CreateObject
- Wscript.shell
- .RegWrite
Registry Tampering by Potentially Suspicious Processes
- source: sigma
- technicques:
- t1059
- t1059.005
- t1112
Description
Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.
Detection logic
condition: selection
selection:
Image|endswith:
- \mshta.exe
- \wscript.exe
- \cscript.exe