Suspicious Shell Open Command Registry Modification
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "Registry Event" AND ( OBJECTNAME contains "\shell\open\command" ) AND ( CHANGES contains "$Recycle.Bin,\AppData\Local\Temp,\Contacts,\Music,\PerfLogs,\Photos,\Pictures,\Users\Public,\Videos,\Windows\Temp,%AppData%,%LocalAppData%,%Temp%,%tmp%" OR INFORMATION contains "$Recycle.Bin,\AppData\Local\Temp,\Contacts,\Music,\PerfLogs,\Photos,\Pictures,\Users\Public,\Videos,\Windows\Temp,%AppData%,%LocalAppData%,%Temp%,%tmp%" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


