Registry Tampering by Potentially Suspicious Processes (7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2)

Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Registry Tampering by Potentially Suspicious Processes (7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2)	Sigma-Rules	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
Registry Tampering by Potentially Suspicious Processes (7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2)	Sigma-Rules	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2