Uninstall SystemComponent Registry Value Modification via CommandLine

Rule Info

Name
Uninstall SystemComponent Registry Value Modification via CommandLine
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects modification of the "SystemComponent" registry value in the "Uninstall" key through command line. Attackers modify this value to hide installed applications from "Programs and Features", often as part of persistence or defense evasion techniques.
Reference
https://www.linkedin.com/posts/mauricefielenbach_threatintel-dfir-cybersecurity-share-7452413452813242369-HaC_/
Date
2026-06-04 00:00:00
Modified
None
Id
c349d7d6-e22d-4e69-8a99-f5d073c6c6a6
Tags
attack.stealth attack.defense-impairment attack.t1112 attack.persistence attack.t1564
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022