Potential Persistence Via MyComputer Registry Keys
Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
Sigma rule (View on GitHub)
1title: Potential Persistence Via MyComputer Registry Keys
2id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06
3status: experimental
4description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
5references:
6 - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/09
9modified: 2024/01/11
10tags:
11 - attack.persistence
12logsource:
13 category: registry_set
14 product: windows
15detection:
16 selection:
17 TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\MyComputer'
18 TargetObject|endswith: '(Default)'
19 condition: selection
20falsepositives:
21 - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for
22level: high
References
-
The flexibility offered by the Registry comes with a price. Whoever is in a position to change the Registry keys or its values can affect not only the way OS works, but also adjust the functionalit...
Read More
Related rules
- Creation Of Non-Existent System DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Potential Persistence Via AppCompat RegisterAppRestart Layer
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE