Detectionhighexperimental

User Shell Folders Registry Modification via CommandLine

Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Jan 058f3ab69a-aa22-4943-aa58-e0a52fdf6818windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli_action:
        CommandLine|contains:
            - ' add ' # reg.exe modification
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'si ' # short for Set-ItemProperty
    selection_cli_paths_root:
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
    selection_cli_paths_suffix:
        CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
    condition: all of selection_*
False Positives

Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.

Testing & Validation

Simulations

atomic-red-teamT1547.001
View on ART

Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value

GUID: acfef903-7662-447e-a391-9c91c2f00f7b

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon