Detectionmediumtest
Suspicious PowerShell In Registry Run Keys
Detects potential PowerShell commands or code within registry run keys
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Florian Roth (Nextron Systems)Created Thu Mar 17Updated Fri Jul 188d85cf08-bf97-4260-ba49-986a2a65129cwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run' # Also covers "RunOnce" and "RunOnceEx"
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
Details|contains:
- 'powershell'
- 'pwsh '
- 'FromBase64String'
- '.DownloadFile('
- '.DownloadString('
- ' -w hidden '
- ' -w 1 '
- '-windowstyle hidden'
- '-window hidden'
- ' -nop '
- ' -encodedcommand '
- '-ExecutionPolicy Bypass'
- 'Invoke-Expression'
- 'IEX ('
- 'Invoke-Command'
- 'ICM -'
- 'Invoke-WebRequest'
- 'IWR '
- 'Invoke-RestMethod'
- 'IRM '
- ' -noni '
- ' -noninteractive '
condition: selectionFalse Positives
Legitimate admin or third party scripts. Baseline according to your environment
MITRE ATT&CK
Rule Metadata
Rule ID
8d85cf08-bf97-4260-ba49-986a2a65129c
Status
test
Level
medium
Type
Detection
Created
Thu Mar 17
Modified
Fri Jul 18
Path
rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001