Registry Modification Attempt Via VBScript

calendar Nov 21, 2025 · attack.defense-evasion attack.persistence attack.execution attack.t1112 attack.t1059.005  ·
Share on: linkedin copy

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.

Sigma rule (View on GitHub)

 1title: Registry Modification Attempt Via VBScript
 2id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
 3related:
 4    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
 5      type: similar
 6    - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
 7      type: similar
 8status: experimental
 9description: |
10    Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs.
11    It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.
12    Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.    
13references:
14    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
15    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
16date: 2025-08-13
17author: Swachchhanda Shrawan Poudel (Nextron Systems)
18tags:
19    - attack.defense-evasion
20    - attack.persistence
21    - attack.execution
22    - attack.t1112
23    - attack.t1059.005
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection:
29        CommandLine|contains|all:
30            - 'CreateObject'
31            - 'Wscript.shell'
32            - '.RegWrite'
33    condition: selection
34falsepositives:
35    - Unknown
36level: medium

References

  • #livingofftheland #redteam #persistence #windowsinternals #threathunting #dfir #cybersecurity #incidentresponse | Maurice Fielenbach

    Red-teamers, this one’s for you. When defenders keep a close eye on reg.exe, regedit.exe, or publicly released helpers like SharpPersist, you can still nudge an autorun key into place with nothing but Windows’ own living-off-the-land binaries. Below are four approaches that touch no disk-resident tooling beyond what ships in the OS. Each method lands the same persistence primitive as reg add, but rides through different logging surfaces—mshta.exe, regini.exe, wscript.exe/cscript.exe, or rundll32.exe instead of the usual suspects. If you’re building detections, watch for RegWrite in ScriptBlock logging, command lines that reference Run or RunOnce inside Shell-Core 9707/9708, and parent-child chains where these LOLBins spawn with suspicious arguments. If you’re on offense, remember that living off the land doesn’t mean living off a single executable. #LivingOffTheLand #RedTeam #Persistence #WindowsInternals #ThreatHunting #DFIR #CyberSecurity #IncidentResponse


    Read More

  • Detecting the Most Popular MITRE Persistence Method – Registry Run Keys / Startup Folder

    Persistence is a cornerstone tactic for both threat actors and red‑teamers, allowing them to cling to a compromised system even after reboots, credential resets, or other disruptions that might oth...


    Read More

Related rules

to-top