Detectionhightest
Shell Open Registry Keys Manipulation
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Christian Burkard (Nextron Systems)Created Mon Aug 30Updated Thu Jan 13152f3630-77c1-4284-bcc0-4cc68ab2f6e7windows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event
Events for Windows Registry modifications including key creation, modification, and deletion.
Detection Logic
Detection Logic4 selectors
detection:
selection1:
EventType: SetValue
TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
Details|contains: '\Software\Classes\{'
selection2:
TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
selection3:
EventType: SetValue
TargetObject|endswith:
- 'Classes\ms-settings\shell\open\command\(Default)'
- 'Classes\exefile\shell\open\command\(Default)'
filter_sel3:
Details: '(Empty)'
condition: selection1 or selection2 or (selection3 and not filter_sel3)False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
152f3630-77c1-4284-bcc0-4cc68ab2f6e7
Status
test
Level
high
Type
Detection
Created
Mon Aug 30
Modified
Thu Jan 13
Path
rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1548.002attack.t1546.001