Registry Tampering by Potentially Suspicious Processes

calendar Nov 21, 2025 · attack.defense-evasion attack.persistence attack.execution attack.t1112 attack.t1059.005  ·
Share on: linkedin copy

Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.

Sigma rule (View on GitHub)

 1title: Registry Tampering by Potentially Suspicious Processes
 2id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
 3related:
 4    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
 5      type: similar
 6    - id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
 7      type: similar
 8status: experimental
 9description: |
10    Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.
11    These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry
12    without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.    
13references:
14    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
15    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-08-13
18tags:
19    - attack.defense-evasion
20    - attack.persistence
21    - attack.execution
22    - attack.t1112
23    - attack.t1059.005
24logsource:
25    category: registry_event
26    product: windows
27detection:
28    selection:
29        Image|endswith:
30            # Add more suspicious processes
31            - '\mshta.exe'
32            - '\wscript.exe'
33            - '\cscript.exe'
34    condition: selection
35falsepositives:
36    - Some legitimate admin or install scripts may use these processes for registry modifications.
37level: medium

References

  • Detecting the Most Popular MITRE Persistence Method – Registry Run Keys / Startup Folder

    Persistence is a cornerstone tactic for both threat actors and red‑teamers, allowing them to cling to a compromised system even after reboots, credential resets, or other disruptions that might oth...


    Read More

  • #livingofftheland #redteam #persistence #windowsinternals #threathunting #dfir #cybersecurity #incidentresponse | Maurice Fielenbach

    Red-teamers, this one’s for you. When defenders keep a close eye on reg.exe, regedit.exe, or publicly released helpers like SharpPersist, you can still nudge an autorun key into place with nothing but Windows’ own living-off-the-land binaries. Below are four approaches that touch no disk-resident tooling beyond what ships in the OS. Each method lands the same persistence primitive as reg add, but rides through different logging surfaces—mshta.exe, regini.exe, wscript.exe/cscript.exe, or rundll32.exe instead of the usual suspects. If you’re building detections, watch for RegWrite in ScriptBlock logging, command lines that reference Run or RunOnce inside Shell-Core 9707/9708, and parent-child chains where these LOLBins spawn with suspicious arguments. If you’re on offense, remember that living off the land doesn’t mean living off a single executable. #LivingOffTheLand #RedTeam #Persistence #WindowsInternals #ThreatHunting #DFIR #CyberSecurity #IncidentResponse


    Read More

Related rules

to-top