Registry Modification of MS-settings Protocol Handler

calendar Jan 24, 2026 · attack.defense-evasion attack.privilege-escalation attack.persistence attack.t1548.002 attack.t1546.001 attack.t1112  ·
Share on: linkedin copy

Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.

Sigma rule (View on GitHub)

 1title: Registry Modification of MS-settings Protocol Handler
 2id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
 3related:
 4    - id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
 5      type: similar
 6status: test
 7description: |
 8    Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
 9    Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.    
10references:
11    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
12    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
13author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2021-12-20
15modified: 2026-01-24
16tags:
17    - attack.defense-evasion
18    - attack.privilege-escalation
19    - attack.persistence
20    - attack.t1548.002
21    - attack.t1546.001
22    - attack.t1112
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_reg_img:
28        - Image|endswith: '\reg.exe'
29        - OriginalFileName: 'reg.exe'
30    selection_pwsh_img:
31        - Image|endswith:
32              - '\powershell.exe'
33              - '\pwsh.exe'
34        - OriginalFileName:
35              - 'powershell.exe'
36              - 'pwsh.dll'
37    selection_reg_cli:
38        CommandLine|contains: 'add'
39    selection_pwsh_cli:
40        CommandLine|contains:
41            - 'New-ItemProperty'
42            - 'Set-ItemProperty'
43            - 'ni '
44            - 'sp '
45    selection_cli_key:
46        CommandLine|contains: '\ms-settings\shell\open\command'
47    condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key
48falsepositives:
49    - Unknown
50level: medium

References

  • Diavol Ransomware

    In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Di…


    Read More

  • Clone, Compile, Compromise: Water Curse’s Open-Source Malware Trap on GitHub

    The Trend Micro™ Managed Detection and Response team uncovered a threat campaign orchestrated by an active group, Water Curse. The threat actor exploits GitHub, one of the most trusted platforms for open-source software, as a delivery channel for weaponized repositories.


    Read More

Related rules

to-top