User Shell Folders Registry Modification via CommandLine

Rule Info

Name
User Shell Folders Registry Modification via CommandLine
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
Reference
https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
Date
2026-01-05 00:00:00
Modified
None
Id
8f3ab69a-aa22-4943-aa58-e0a52fdf6818
Tags
attack.persistence attack.privilege-escalation attack.t1547.001 attack.defense-evasion attack.t1112
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=8f3ab69a-aa22-4943-aa58-e0a52fdf6818

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5824 from @swachchhanda000 - Update User Shell Folders Registry Modification Rules
2026-01-29
e77233ab2
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022