Registry Modification of MS-settings Protocol Handler

 1title: Registry Modification of MS-settings Protocol Handler
 2id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
 3related:
 4    - id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
 5      type: similar
 6status: test
 7description: |
 8    Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
 9    Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.    
10references:
11    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
12    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
13author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2021-12-20
15modified: 2026-01-24
16tags:
17    - attack.privilege-escalation
18    - attack.persistence
19    - attack.defense-impairment
20    - attack.t1548.002
21    - attack.t1546.001
22    - attack.t1112
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_reg_img:
28        - Image|endswith: '\reg.exe'
29        - OriginalFileName: 'reg.exe'
30    selection_pwsh_img:
31        - Image|endswith:
32              - '\powershell.exe'
33              - '\pwsh.exe'
34        - OriginalFileName:
35              - 'powershell.exe'
36              - 'pwsh.dll'
37    selection_reg_cli:
38        CommandLine|contains: 'add'
39    selection_pwsh_cli:
40        CommandLine|contains:
41            - 'New-ItemProperty'
42            - 'Set-ItemProperty'
43            - 'ni '
44            - 'sp '
45    selection_cli_key:
46        CommandLine|contains: '\ms-settings\shell\open\command'
47    condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key
48falsepositives:
49    - Unknown
50level: medium