sigmalowHunting

Shell Context Menu Command Tampering

Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.

Detection Query

selection:
  TargetObject|contains|all:
    - \Software\Classes\
    - \shell\
    - \command\
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2024-03-06

Data Sources

windowsRegistry Set Events

Platforms

windows

References

https://mrd0x.com/sentinelone-persistence-via-menu-context/

Tags

attack.persistencedetection.threat-hunting

Raw Content

title: Shell Context Menu Command Tampering
id: 868df2d1-0939-4562-83a7-27408c4a1ada
status: test
description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
references:
    - https://mrd0x.com/sentinelone-persistence-via-menu-context/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-06
tags:
    - attack.persistence
    - detection.threat-hunting
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\Software\Classes\'
            - '\shell\'
            - '\command\'
    condition: selection
falsepositives:
    - Likely from new software installation suggesting to add context menu items. Such as "PowerShell", "Everything", "Git", etc.
level: low