Skip to content

Hide Navigation Hide TOC

Suspicious Shell Open Command Registry Modification (9e8894c0-0ae0-11ef-9d85-1f2942bec57c)

Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the *\shell\open\command registry key can indicate an attempt to change the default action for opening files, and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Shell Open Command Registry Modification (9e8894c0-0ae0-11ef-9d85-1f2942bec57c) Sigma-Rules Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern 1
Suspicious Shell Open Command Registry Modification (9e8894c0-0ae0-11ef-9d85-1f2942bec57c) Sigma-Rules Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2