Detectionhightest

Custom File Open Handler Executes PowerShell

Detects the abuse of custom file open handler, executing powershell

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

CD_R0M_Created Sat Jun 11Updated Thu Aug 177530b96f-ad8e-431d-a04d-ac85cc461fdcwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: 'shell\open\command\'
        Details|contains|all:
            - 'powershell'
            - '-command'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

news.sophos.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1202 · Indirect Command Execution

Rule Metadata

Rule ID

7530b96f-ad8e-431d-a04d-ac85cc461fdc

Status

test

Level

high

Type

Detection

Created

Sat Jun 11

Modified

Thu Aug 17

Author

CD_R0M_

Path

rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml

Raw Tags

attack.defense-evasionattack.t1202

View on GitHub