← Back to SOC feed Coverage →

Suspicious Shell Open Command Registry Modification

sigma MEDIUM SigmaHQ
T1548.002T1546.001
imRegistry
evasionpersistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-03-25T02:49:04Z · Confidence: low

Hunt Hypothesis

Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the *\shell\open\command registry key can

Detection Rule

Sigma (Original)

title: Suspicious Shell Open Command Registry Modification
id: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
status: experimental
description: |
    Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
    Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
    and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
references:
    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548.002
    - attack.t1546.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\shell\open\command\'
        Details|contains:
            - '\$Recycle.Bin\'
            - '\AppData\Local\Temp\'
            - '\Contacts\'
            - '\Music\'
            - '\PerfLogs\'
            - '\Photos\'
            - '\Pictures\'
            - '\Users\Public\'
            - '\Videos\'
            - '\Windows\Temp\'
            - '%AppData%'
            - '%LocalAppData%'
            - '%Temp%'
            - '%tmp%'
    condition: selection
falsepositives:
    - Legitimate software installations or updates that modify the shell open command registry keys to these locations.
level: medium

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\shell\\open\\command*" and (RegistryValueData contains "\\$Recycle.Bin\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Contacts\\" or RegistryValueData contains "\\Music\\" or RegistryValueData contains "\\PerfLogs\\" or RegistryValueData contains "\\Photos\\" or RegistryValueData contains "\\Pictures\\" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Videos\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%AppData%" or RegistryValueData contains "%LocalAppData%" or RegistryValueData contains "%Temp%" or RegistryValueData contains "%tmp%")

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\shell\\open\\command*" and (RegistryValueData contains "\\$Recycle.Bin\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Contacts\\" or RegistryValueData contains "\\Music\\" or RegistryValueData contains "\\PerfLogs\\" or RegistryValueData contains "\\Photos\\" or RegistryValueData contains "\\Pictures\\" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Videos\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%AppData%" or RegistryValueData contains "%LocalAppData%" or RegistryValueData contains "%Temp%" or RegistryValueData contains "%tmp%")

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml