{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/scripting-engine/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["registry-modification","persistence","defense-evasion","scripting-engine"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief covers suspicious registry modifications made by scripting engine processes like WScript, CScript, and MSHTA. These processes are often abused by attackers to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence. Legitimate use of these scripting engines to modify the registry is uncommon, making this behavior a good indicator of potential malicious activity. Defenders should monitor for these processes interacting with sensitive registry keys. This activity was observed as of 2025 and continues to be a relevant technique for persistence and defense evasion in 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system via an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uses MSHTA.exe to execute malicious HTML Application code.\u003c/li\u003e\n\u003cli\u003eMSHTA.exe is used to launch a PowerShell script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses the Registry module to add a new registry key.\u003c/li\u003e\n\u003cli\u003eThe registry key is configured to execute a payload upon system startup.\u003c/li\u003e\n\u003cli\u003eThe attacker uses wscript.exe or cscript.exe to execute VBScript or JScript.\u003c/li\u003e\n\u003cli\u003eThe script modifies registry values to disable security features.\u003c/li\u003e\n\u003cli\u003eThe compromised system restarts, executing the payload defined in the registry, granting the attacker persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistence on the targeted system, enabling them to maintain access even after a reboot. This can lead to data theft, further malware deployment, or complete system compromise. The impact ranges from minor data breaches to significant operational disruptions. The scope of the impact depends on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Registry Tampering by Potentially Suspicious Processes\u0026rdquo; to your SIEM to detect this specific activity, and tune for your environment (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of wscript.exe, cscript.exe or mshta.exe modifying registry keys outside of known-good paths (rules).\u003c/li\u003e\n\u003cli\u003eMonitor registry events for unexpected modifications by scripting engines, focusing on persistence-related keys (rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:50:16Z","date_published":"2026-04-14T12:50:16Z","id":"/briefs/2026-04-susp-reg-mod/","summary":"Scripting engines such as WScript, CScript, and MSHTA are being used to make registry modifications, potentially for persistence or defense evasion.","title":"Suspicious Registry Modifications by Scripting Engines","url":"https://feed.craftedsignal.io/briefs/2026-04-susp-reg-mod/"}],"language":"en","title":"CraftedSignal Threat Feed — Scripting-Engine","version":"https://jsonfeed.org/version/1.1"}