Suspicious Shell Open Command Registry Modification

Rule Info

Name
Suspicious Shell Open Command Registry Modification
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files, and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
Reference
https://www.trendmicro.com/en_us/research/25/f/water-curse.html
Date
2026-01-24 00:00:00
Modified
None
Id
9e8894c0-0ae0-11ef-9d85-1f2942bec57c
Tags
attack.defense-evasion attack.privilege-escalation attack.persistence attack.t1548.002 attack.t1546.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9e8894c0-0ae0-11ef-9d85-1f2942bec57c

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5487 from @swachchhanda000 - Update Registry Shell Open Related Rules
2026-01-24
d5188c36a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022