Detectionmediumexperimental

Registry Tampering by Potentially Suspicious Processes

Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Aug 13Updated Tue Apr 147f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2windows

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith:
            # Add more suspicious processes
            - '\mshta.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    filter_main_legit_wscript:
        Image|endswith: '\wscript.exe'
        TargetObject|contains:
            - 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\'
            - '\Services\bam\State\UserSettings\S-1-'
            - 'Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\'
            - 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\'
    condition: selection and not 1 of filter_main_*

False Positives

Some legitimate admin or install scripts may use these processes for registry modifications.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0002 · Execution

Techniques

T1112 · Modify Registry

Sub-techniques

T1059.005 · Visual Basic

Related Rules

SimilarDetectionmedium

Registry Modification Attempt Via VBScript - PowerShell

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Registry Modification Attempt Via VBScript

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2

Status

experimental

Level

medium

Type

Detection

Created

Wed Aug 13

Modified

Tue Apr 14

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.executionattack.t1112attack.t1059.005

View on GitHub