Detectionmediumtest
Registry Modification of MS-settings Protocol Handler
Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Dec 20Updated Sat Jan 24dd3ee8cc-f751-41c9-ba53-5a32ed47e563windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic5 selectors
detection:
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_pwsh_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
selection_reg_cli:
CommandLine|contains: 'add'
selection_pwsh_cli:
CommandLine|contains:
- 'New-ItemProperty'
- 'Set-ItemProperty'
- 'ni '
- 'sp '
selection_cli_key:
CommandLine|contains: '\ms-settings\shell\open\command'
condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_keyFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
dd3ee8cc-f751-41c9-ba53-5a32ed47e563
Status
test
Level
medium
Type
Detection
Created
Mon Dec 20
Modified
Sat Jan 24
Path
rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.persistenceattack.t1548.002attack.t1546.001attack.t1112