Suspicious Shell Open Command Registry Modification

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "Registry Event" AND ( OBJECTNAME contains "\shell\open\command" ) AND ( CHANGES contains "$Recycle.Bin,\AppData\Local\Temp,\Contacts,\Music,\PerfLogs,\Photos,\Pictures,\Users\Public,\Videos,\Windows\Temp,%AppData%,%LocalAppData%,%Temp%,%tmp%" OR INFORMATION contains "$Recycle.Bin,\AppData\Local\Temp,\Contacts,\Music,\PerfLogs,\Photos,\Pictures,\Users\Public,\Videos,\Windows\Temp,%AppData%,%LocalAppData%,%Temp%,%tmp%" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Swachchhanda Shrawan Poudel (Nextron Systems)