Registry Tampering by Potentially Suspicious Processes

calendar Apr 28, 2026 · attack.persistence attack.execution attack.defense-impairment attack.t1112 attack.t1059.005  ·
Share on: linkedin copy

Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.

Sigma rule (View on GitHub)

 1title: Registry Tampering by Potentially Suspicious Processes
 2id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
 3related:
 4    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
 5      type: similar
 6    - id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
 7      type: similar
 8status: experimental
 9description: |
10    Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.
11    These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry
12    without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.    
13references:
14    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
15    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-08-13
18modified: 2026-04-14
19tags:
20    - attack.persistence
21    - attack.execution
22    - attack.defense-impairment
23    - attack.t1112
24    - attack.t1059.005
25logsource:
26    category: registry_event
27    product: windows
28detection:
29    selection:
30        Image|endswith:
31            # Add more suspicious processes
32            - '\mshta.exe'
33            - '\wscript.exe'
34            - '\cscript.exe'
35    filter_main_binary_data:
36        Details: 'Binary Data'
37    filter_main_null:
38        Details: null
39    filter_main_wscript_legit_1:
40        Image|endswith: '\wscript.exe'
41        TargetObject|contains:
42            - 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\'
43            - '\Services\bam\State\UserSettings\S-1-'
44            - 'Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\'
45            - 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\'
46    filter_main_wscript_legit_2:
47        Image|endswith: '\wscript.exe'
48        TargetObject|contains: '\wscript.exe'
49    condition: selection and not 1 of filter_main_*
50falsepositives:
51    - Some legitimate admin or install scripts may use these processes for registry modifications.
52level: medium

References

Related rules

to-top