EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Registry Modification Attempt Via VBScript

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.

MITRE ATT&CK

T1112T1059.005
defense-evasionpersistenceexecution

Detection Query

selection:
  CommandLine|contains|all:
    - CreateObject
    - Wscript.shell
    - .RegWrite
condition: selection

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-08-13

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.persistenceattack.executionattack.t1112attack.t1059.005
Raw Content
title: Registry Modification Attempt Via VBScript
id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
related:
    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
      type: similar
    - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
      type: similar
status: experimental
description: |
    Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs.
    It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.
    Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
references:
    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
    - attack.defense-evasion
    - attack.persistence
    - attack.execution
    - attack.t1112
    - attack.t1059.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'CreateObject'
            - 'Wscript.shell'
            - '.RegWrite'
    condition: selection
falsepositives:
    - Unknown
level: medium