LOLBAS
LOLBAS copied to clipboard
LOLBAS-Project
Add slui.yml, fodhelper.yml, regedit.yml
Similar to my past submission (ComputerDefaults), hijacking the registry key "HKEY_CURRENT_USER\Software\Classes\exefile" allows the proxied execution of scripts/binaries via these three native binaries (slui, fodhelper, regedit).
Looks like all 3 use ms-settings\shell\open\command and exefile\shell\open\command, probably depends on the version of Windows. https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
