Detectionhighexperimental

User Shell Folders Registry Modification via CommandLine

Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Jan 058f3ab69a-aa22-4943-aa58-e0a52fdf6818windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli_action:
        CommandLine|contains:
            - ' add ' # reg.exe modification
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'si ' # short for Set-ItemProperty
    selection_cli_paths_root:
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
    selection_cli_paths_suffix:
        CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
    condition: all of selection_*

False Positives

Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.

References

Resolving title…

welivesecurity.com

Testing & Validation

Simulations

atomic-red-teamT1547.001

View on ART

Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value

GUID: acfef903-7662-447e-a391-9c91c2f00f7b

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Sub-techniques

T1547.001 · Registry Run Keys / Startup Folder

Related Rules

SimilarDetectionhigh

Modify User Shell Folders Startup Value

Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

8f3ab69a-aa22-4943-aa58-e0a52fdf6818

Status

experimental

Level

high

Type

Detection

Created

Mon Jan 05

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1547.001attack.defense-evasionattack.t1112

View on GitHub