Registry Modification Attempt Via VBScript - PowerShell
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.
Sigma rule (View on GitHub)
1title: Registry Modification Attempt Via VBScript - PowerShell
2id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
3related:
4 - id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
5 type: similar
6 - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
7 type: similar
8status: experimental
9description: |
10 Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands.
11 Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools.
12 This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.
13references:
14 - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
15 - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
16 - https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad
17date: 2025-08-13
18author: Swachchhanda Shrawan Poudel (Nextron Systems)
19tags:
20 - attack.defense-evasion
21 - attack.persistence
22 - attack.execution
23 - attack.t1112
24 - attack.t1059.005
25logsource:
26 category: ps_script
27 product: windows
28detection:
29 selection:
30 ScriptBlockText|contains|all:
31 - 'CreateObject'
32 - 'Wscript.shell'
33 - '.RegWrite'
34 condition: selection
35falsepositives:
36 - Some legitimate admin or install scripts may use these processes for registry modifications.
37level: medium
References
-
Red-teamers, this one’s for you. When defenders keep a close eye on reg.exe, regedit.exe, or publicly released helpers like SharpPersist, you can still nudge an autorun key into place with nothing but Windows’ own living-off-the-land binaries. Below are four approaches that touch no disk-resident tooling beyond what ships in the OS. Each method lands the same persistence primitive as reg add, but rides through different logging surfaces—mshta.exe, regini.exe, wscript.exe/cscript.exe, or rundll32.exe instead of the usual suspects. If you’re building detections, watch for RegWrite in ScriptBlock logging, command lines that reference Run or RunOnce inside Shell-Core 9707/9708, and parent-child chains where these LOLBins spawn with suspicious arguments. If you’re on offense, remember that living off the land doesn’t mean living off a single executable. #LivingOffTheLand #RedTeam #Persistence #WindowsInternals #ThreatHunting #DFIR #CyberSecurity #IncidentResponse
Read More -
Persistence is a cornerstone tactic for both threat actors and red‑teamers, allowing them to cling to a compromised system even after reboots, credential resets, or other disruptions that might oth...
Read More -
This post will cover methodology for hunting fileless malware techniques that leverage the Windows Registry for staging payloads and…
Read More
Related rules
- Registry Modification Attempt Via VBScript
- Registry Tampering by Potentially Suspicious Processes
- Potential Ursnif Malware Activity - Registry
- Blue Mockingbird - Registry
- Blue Mockingbird