Suspicious Shell Open Command Registry Modification

 1title: Suspicious Shell Open Command Registry Modification
 2id: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
 3status: experimental
 4description: |
 5    Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
 6    Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
 7    and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.    
 8references:
 9    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2026-01-24
12tags:
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.persistence
16    - attack.t1548.002
17    - attack.t1546.001
18logsource:
19    category: registry_set
20    product: windows
21detection:
22    selection:
23        TargetObject|contains: '\shell\open\command\'
24        Details|contains:
25            - '\$Recycle.Bin\'
26            - '\AppData\Local\Temp\'
27            - '\Contacts\'
28            - '\Music\'
29            - '\PerfLogs\'
30            - '\Photos\'
31            - '\Pictures\'
32            - '\Users\Public\'
33            - '\Videos\'
34            - '\Windows\Temp\'
35            - '%AppData%'
36            - '%LocalAppData%'
37            - '%Temp%'
38            - '%tmp%'
39    condition: selection
40falsepositives:
41    - Legitimate software installations or updates that modify the shell open command registry keys to these locations.
42level: medium