Skip to content

Hide Navigation Hide TOC

User Shell Folders Registry Modification via CommandLine (8f3ab69a-aa22-4943-aa58-e0a52fdf6818)

Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.

Cluster A Galaxy A Cluster B Galaxy B Level
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern User Shell Folders Registry Modification via CommandLine (8f3ab69a-aa22-4943-aa58-e0a52fdf6818) Sigma-Rules 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern User Shell Folders Registry Modification via CommandLine (8f3ab69a-aa22-4943-aa58-e0a52fdf6818) Sigma-Rules 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2