Detectionmediumexperimental

Suspicious Shell Open Command Registry Modification

Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files, and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Sat Jan 249e8894c0-0ae0-11ef-9d85-1f2942bec57cwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: '\shell\open\command\'
        Details|contains:
            - '\$Recycle.Bin\'
            - '\AppData\Local\Temp\'
            - '\Contacts\'
            - '\Music\'
            - '\PerfLogs\'
            - '\Photos\'
            - '\Pictures\'
            - '\Users\Public\'
            - '\Videos\'
            - '\Windows\Temp\'
            - '%AppData%'
            - '%LocalAppData%'
            - '%Temp%'
            - '%tmp%'
    condition: selection