tyler-mcadam

Looks like all 3 use ms-settings\shell\open\command and exefile\shell\open\command, probably depends on the version of Windows. https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml

Oh that's even simpler than I thought. I like this solution a lot. Thanks! Am I supposed to close the issue or do you do it after merging?