SigmaHQ · swachchhanda000 · Jun 17, 2025 · Jun 17, 2025
diff --git a/rules/windows/process_creation/proc_creation_win_reg_open_command.yml b/rules/windows/process_creation/proc_creation_win_reg_open_command.yml
@@ -1,39 +1,42 @@
-title: Suspicious Reg Add Open Command
+title: Registry Modification of MS-settings Protocol Handler
 id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
+related:
+    - id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
+      type: similar
 status: test
-description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
+description: |
+    Detects registry modifications to the `ms-settings` protocol handler, which is frequently targeted for UAC bypass or persistence.
+    Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
 references:
     - https://thedfirreport.com/2021/12/13/diavol-ransomware/
-author: frack113
+    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
+author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2021-12-20
-modified: 2022-12-25
+modified: 2025-06-17
 tags:
-    - attack.credential-access
-    - attack.t1003
+    - attack.defense-evasion
+    - attack.privilege-escalation
+    - attack.t1548.002
+    - attack.t1546.001
+    - attack.t1112
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_1:
-        CommandLine|contains|all:
-            - 'reg'
-            - 'add'
-            - 'hkcu\software\classes\ms-settings\shell\open\command'
-            - '/ve '
-            - '/d'
-    selection_2:
-        CommandLine|contains|all:
-            - 'reg'
-            - 'add'
-            - 'hkcu\software\classes\ms-settings\shell\open\command'
-            - '/v'
-            - 'DelegateExecute'
-    selection_3:
-        CommandLine|contains|all:
-            - 'reg'
-            - 'delete'
-            - 'hkcu\software\classes\ms-settings'
-    condition: 1 of selection_*
+    selection_img:
+        - Image|endswith:
+              - '\reg.exe'
+              - '\powershell.exe'
+              - '\powershell_ise.exe'
+              - '\pwsh.exe'
+        - OriginalFileName:
+              - 'reg.exe'
+              - 'powershell.exe'
+              - 'powershell_ise.exe'
+              - 'pwsh.dll'
+    selection_cmd:
+        CommandLine|contains: '\ms-settings\shell\open\command'
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
@@ -1,5 +1,8 @@
 title: Shell Open Registry Keys Manipulation
 id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
+related:
+    - id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
+      type: similar
 status: test
 description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
 references:

diff --git a/...windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml b/...windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml
@@ -0,0 +1,41 @@
+title: Suspicious Shell Open Command Registry Modification
+id: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
+status: experimental
+description: |
+    Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
+    Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
+    and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
+references:
+    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-06-17
+tags:
+    - attack.defense-evasion
+    - attack.privilege-escalation
+    - attack.t1548.002
+    - attack.t1546.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\shell\open\command\'
+        Details|contains:
+            - '\$Recycle.Bin\'
+            - '\AppData\Local\Temp\'
+            - '\Contacts\'
+            - '\Music\'
+            - '\PerfLogs\'
+            - '\Photos\'
+            - '\Pictures\'
+            - '\Users\Public\'
+            - '\Videos\'
+            - '\Windows\Temp\'
+            - '%AppData%'
+            - '%LocalAppData%'
+            - '%Temp%'
+            - '%tmp%'
+    condition: selection
+falsepositives:
+    - Legitimate software installations or updates that modify the shell open command registry keys to these locations.
+level: medium