Techniques
Sample rules
User Shell Folders Registry Modification via CommandLine
- source: sigma
- technicques:
- t1112
- t1547
- t1547.001
Description
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
Detection logic
condition: all of selection_*
selection_cli_action:
CommandLine|contains:
- ' add '
- New-ItemProperty
- Set-ItemProperty
- 'si '
selection_cli_paths_root:
CommandLine|contains:
- \Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- \Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
selection_cli_paths_suffix:
CommandLine|contains: Startup
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- \reg.exe
- OriginalFileName:
- powershell.exe
- pwsh.dll
- reg.exe