Skip to content

Hide Navigation Hide TOC

Registry Modification Attempt Via VBScript (921aa10f-2e74-4cca-9498-98f9ca4d6fdf)

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.

Cluster A Galaxy A Cluster B Galaxy B Level
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Registry Modification Attempt Via VBScript (921aa10f-2e74-4cca-9498-98f9ca4d6fdf) Sigma-Rules 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Registry Modification Attempt Via VBScript (921aa10f-2e74-4cca-9498-98f9ca4d6fdf) Sigma-Rules 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2