Shell Open Registry Keys Manipulation

Hunt Hypothesis

Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 3

Detection Rule

Sigma (Original)

title: Shell Open Registry Keys Manipulation
id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
related:
    - id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
      type: similar
status: test
description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
references:
    - https://github.com/hfiref0x/UACME
    - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
    - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
    - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-01-13
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1548.002
    - attack.t1546.001
logsource:
    category: registry_event
    product: windows
detection:
    selection1:
        EventType: SetValue
        TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
        Details|contains: '\Software\Classes\{'
    selection2:
        TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
    selection3:
        EventType: SetValue
        TargetObject|endswith:
            - 'Classes\ms-settings\shell\open\command\(Default)'
            - 'Classes\exefile\shell\open\command\(Default)'
    filter_sel3:
        Details: '(Empty)'
    condition: selection1 or selection2 or (selection3 and not filter_sel3)
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where (EventType =~ "RegistryValueSet" and RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue" and RegistryValueData contains "\\Software\\Classes\\{") or RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or ((EventType =~ "RegistryValueSet" and (RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\(Default)" or RegistryKey endswith "Classes\\exefile\\shell\\open\\command\\(Default)")) and (not(RegistryValueData =~ "(Empty)")))

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where (ActionType =~ "RegistryValueSet" and RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue" and RegistryValueData contains "\\Software\\Classes\\{") or RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or ((ActionType =~ "RegistryValueSet" and (RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\(Default)" or RegistryKey endswith "Classes\\exefile\\shell\\open\\command\\(Default)")) and (not(RegistryValueData =~ "(Empty)")))

Required Data Sources

Sentinel Table	Notes
`imRegistry`	Ensure this data connector is enabled

False Positive Guidance

Unknown

MITRE ATT&CK Context

Tactic: Persistence
Tactic: Defense Evasion
Tactic: Privilege Escalation
Technique: T1548.002 — Bypass User Account Control

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from l
Technique: T1546.001 — Change Default File Association

Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file associ

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly: