Skip to content
Threat Feed
medium advisory

Suspicious Registry Modifications by Scripting Engines

The use of scripting engines like WScript and CScript to modify the Windows registry can indicate an attempt to bypass standard tools and evade defenses, potentially for persistence or other malicious activities.

Attackers may leverage scripting engines, such as wscript.exe and cscript.exe, to directly modify the Windows Registry. These scripting engines are often abused for malicious purposes, including establishing persistence, escalating privileges, or disabling security controls. These scripting engines can modify the registry without using standard tools like regedit.exe or reg.exe, making it harder to detect malicious registry changes. Defenders should be aware of processes using these engines to modify the registry, as this behavior is uncommon in legitimate software installations or administrative tasks.

Attack Chain

  1. An attacker gains initial access to the system, potentially through social engineering or exploiting a software vulnerability.
  2. The attacker executes a script (VBScript, JScript) via wscript.exe or cscript.exe.
  3. The script contains commands to modify specific registry keys, such as the Run key for persistence (T1547.001).
  4. The scripting engine process (e.g., wscript.exe) directly interacts with the Windows Registry to set the new values.
  5. Upon system restart or user logon, the modified registry key triggers the execution of a malicious payload.
  6. The attacker achieves persistence on the compromised system, allowing for continued access and control.
  7. The attacker leverages the persistent access to perform lateral movement or data exfiltration.

Impact

Successful exploitation can lead to persistent access on compromised systems, enabling attackers to execute malicious code, steal sensitive information, or disrupt critical services. The registry modifications performed by scripting engines can bypass traditional security measures and make it difficult to detect and remediate the attack. This can result in significant data loss, financial damage, and reputational harm to affected organizations.

Recommendation

  • Deploy the Sigma rule “Registry Tampering by Potentially Suspicious Processes” to your SIEM to detect suspicious registry modifications made by scripting engines.
  • Investigate any alerts generated by the Sigma rule “Registry Tampering by Potentially Suspicious Processes” for unusual or unauthorized registry changes.
  • Monitor registry events for modifications made by processes such as wscript.exe and cscript.exe (logsource: registry_event).

Detection coverage 2

Registry Tampering by WScript/CScript

medium

Detects registry modifications made by WScript or CScript processes, excluding known legitimate paths.

sigma tactics: defense_evasion, persistence techniques: T1059.005, T1112, T1547.001 sources: registry_event, windows

Registry Tampering by MSHTA

medium

Detects registry modifications made by mshta.exe, which can indicate attempts to bypass standard tools.

sigma tactics: defense_evasion, persistence techniques: T1112, T1547.001 sources: registry_event, windows

Detection queries are kept inside the platform. Get full rules →