Skip to content

Hide Navigation Hide TOC

Registry Modification Attempt Via VBScript (921aa10f-2e74-4cca-9498-98f9ca4d6fdf)

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.

Cluster A Galaxy A Cluster B Galaxy B Level
Registry Modification Attempt Via VBScript (921aa10f-2e74-4cca-9498-98f9ca4d6fdf) Sigma-Rules Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
Registry Modification Attempt Via VBScript (921aa10f-2e74-4cca-9498-98f9ca4d6fdf) Sigma-Rules Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2