From d5188c36a1c19eb101194a9c263a8e3ce285aa1e Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Sat, 24 Jan 2026 23:39:59 +0545
Subject: [PATCH] Merge PR #5487 from @swachchhanda000 - Update Registry Shell
 Open Related Rules

update: Registry Modification of MS-settings Protocol Handler - Update logic to be more clear
new: Suspicious Shell Open Command Registry Modification

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
---
 .../proc_creation_win_reg_open_command.yml    | 39 ---------------
 ...ication_of_ms_setting_protocol_handler.yml | 50 +++++++++++++++++++
 ...try_event_shell_open_keys_manipulation.yml |  3 ++
 ..._shell_open_keys_modification_patterns.yml | 42 ++++++++++++++++
 4 files changed, 95 insertions(+), 39 deletions(-)
 delete mode 100644 rules/windows/process_creation/proc_creation_win_reg_open_command.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml
 create mode 100644 rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml

diff --git a/rules/windows/process_creation/proc_creation_win_reg_open_command.yml b/rules/windows/process_creation/proc_creation_win_reg_open_command.yml
deleted file mode 100644
index 680e38432..000000000
--- a/rules/windows/process_creation/proc_creation_win_reg_open_command.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Suspicious Reg Add Open Command
-id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
-status: test
-description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
-references:
-    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
-author: frack113
-date: 2021-12-20
-modified: 2022-12-25
-tags:
-    - attack.credential-access
-    - attack.t1003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-        CommandLine|contains|all:
-            - 'reg'
-            - 'add'
-            - 'hkcu\software\classes\ms-settings\shell\open\command'
-            - '/ve '
-            - '/d'
-    selection_2:
-        CommandLine|contains|all:
-            - 'reg'
-            - 'add'
-            - 'hkcu\software\classes\ms-settings\shell\open\command'
-            - '/v'
-            - 'DelegateExecute'
-    selection_3:
-        CommandLine|contains|all:
-            - 'reg'
-            - 'delete'
-            - 'hkcu\software\classes\ms-settings'
-    condition: 1 of selection_*
-falsepositives:
-    - Unknown
-level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml b/rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml
new file mode 100644
index 000000000..9cc4053b4
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml
@@ -0,0 +1,50 @@
+title: Registry Modification of MS-settings Protocol Handler
+id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
+related:
+    - id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
+      type: similar
+status: test
+description: |
+    Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
+    Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
+references:
+    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
+    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
+author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2021-12-20
+modified: 2026-01-24
+tags:
+    - attack.defense-evasion
+    - attack.privilege-escalation
+    - attack.persistence
+    - attack.t1548.002
+    - attack.t1546.001
+    - attack.t1112
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_reg_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_pwsh_img:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+        - OriginalFileName:
+              - 'powershell.exe'
+              - 'pwsh.dll'
+    selection_reg_cli:
+        CommandLine|contains: 'add'
+    selection_pwsh_cli:
+        CommandLine|contains:
+            - 'New-ItemProperty'
+            - 'Set-ItemProperty'
+            - 'ni '
+            - 'sp '
+    selection_cli_key:
+        CommandLine|contains: '\ms-settings\shell\open\command'
+    condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
index 57b07c733..864f72e49 100644
--- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
+++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
@@ -1,5 +1,8 @@
 title: Shell Open Registry Keys Manipulation
 id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
+related:
+    - id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
+      type: similar
 status: test
 description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
 references:
diff --git a/rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml b/rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml
new file mode 100644
index 000000000..1cee7ff97
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml
@@ -0,0 +1,42 @@
+title: Suspicious Shell Open Command Registry Modification
+id: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
+status: experimental
+description: |
+    Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
+    Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
+    and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
+references:
+    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-01-24
+tags:
+    - attack.defense-evasion
+    - attack.privilege-escalation
+    - attack.persistence
+    - attack.t1548.002
+    - attack.t1546.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\shell\open\command\'
+        Details|contains:
+            - '\$Recycle.Bin\'
+            - '\AppData\Local\Temp\'
+            - '\Contacts\'
+            - '\Music\'
+            - '\PerfLogs\'
+            - '\Photos\'
+            - '\Pictures\'
+            - '\Users\Public\'
+            - '\Videos\'
+            - '\Windows\Temp\'
+            - '%AppData%'
+            - '%LocalAppData%'
+            - '%Temp%'
+            - '%tmp%'
+    condition: selection
+falsepositives:
+    - Legitimate software installations or updates that modify the shell open command registry keys to these locations.
+level: medium