Detectionmediumexperimental

Registry Modification Attempt Via VBScript

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Aug 13921aa10f-2e74-4cca-9498-98f9ca4d6fdfwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains|all:
            - 'CreateObject'
            - 'Wscript.shell'
            - '.RegWrite'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0002 · Execution

Techniques

T1112 · Modify Registry

Sub-techniques

T1059.005 · Visual Basic

Related Rules

SimilarDetectionmedium

Registry Modification Attempt Via VBScript - PowerShell

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Registry Tampering by Potentially Suspicious Processes

Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

921aa10f-2e74-4cca-9498-98f9ca4d6fdf

Status

experimental

Level

medium

Type

Detection

Created

Wed Aug 13

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_vbscript_registry_modification.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.executionattack.t1112attack.t1059.005

View on GitHub