Skip to content

Hide Navigation Hide TOC

Registry Modification Attempt Via VBScript - PowerShell (2a0a169d-cc66-43ce-9ae2-6e678e54e46a)

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.

Cluster A Galaxy A Cluster B Galaxy B Level
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Registry Modification Attempt Via VBScript - PowerShell (2a0a169d-cc66-43ce-9ae2-6e678e54e46a) Sigma-Rules 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Registry Modification Attempt Via VBScript - PowerShell (2a0a169d-cc66-43ce-9ae2-6e678e54e46a) Sigma-Rules 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2