4.B.4 - powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Powershell mnodifying registry, do not have access to script tot ell that it was done using "new item-property"

Adding key:

{"_index":"wazuh-archives-4.x-2021.09.14","_type":"_doc","_id":"W3_s5XsBp_s9Frc2iSPB","_version":1,"_score":null,"_source":{"agent":{"ip":"192.168.0.121","name":"hrmanager","id":"013"},"manager":{"name":"localhost2.localdomain"},"data":{"win":{"eventdata":{"image":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","targetObject":"HKU\\\\S-1-5-21-887924094-598891991-956377308-1146_Classes\\\\ms-settings\\\\shell\\\\open\\\\command","processGuid":"{4dc16835-0124-6141-fb02-000000006500}","processId":"7152","utcTime":"2021-09-14 20:08:06.917","eventType":"CreateKey"},"system":{"eventID":"12","keywords":"0x8000000000000000","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","level":"4","channel":"Microsoft-Windows-Sysmon/Operational","opcode":"0","message":"\"Registry object added or deleted:\r\nRuleName: -\r\nEventType: CreateKey\r\nUtcTime: 2021-09-14 20:08:06.917\r\nProcessGuid: {4dc16835-0124-6141-fb02-000000006500}\r\nProcessId: 7152\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nTargetObject: HKU\\S-1-5-21-887924094-598891991-956377308-1146_Classes\\ms-settings\\shell\\open\\command\"","version":"2","systemTime":"2021-09-14T20:08:06.9194728Z","eventRecordID":"360355","threadID":"3756","computer":"hrmanager.ExchangeTest.com","task":"12","processID":"2664","severityValue":"INFORMATION","providerName":"Microsoft-Windows-Sysmon"}}},"decoder":{"name":"windows_eventchannel"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"12\",\"version\":\"2\",\"level\":\"4\",\"task\":\"12\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-09-14T20:08:06.9194728Z\",\"eventRecordID\":\"360355\",\"processID\":\"2664\",\"threadID\":\"3756\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"hrmanager.ExchangeTest.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry object added or deleted:\\r\\nRuleName: -\\r\\nEventType: CreateKey\\r\\nUtcTime: 2021-09-14 20:08:06.917\\r\\nProcessGuid: {4dc16835-0124-6141-fb02-000000006500}\\r\\nProcessId: 7152\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nTargetObject: HKU\\\\S-1-5-21-887924094-598891991-956377308-1146_Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\"\"},\"eventdata\":{\"eventType\":\"CreateKey\",\"utcTime\":\"2021-09-14 20:08:06.917\",\"processGuid\":\"{4dc16835-0124-6141-fb02-000000006500}\",\"processId\":\"7152\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"targetObject\":\"HKU\\\\\\\\S-1-5-21-887924094-598891991-956377308-1146_Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\"}}}","input":{"type":"log"},"@timestamp":"2021-09-14T20:08:07.599Z","location":"EventChannel","id":"1631650087.1001913","timestamp":"2021-09-14T17:08:07.599-0300"},"fields":{"@timestamp":["2021-09-14T20:08:07.599Z"],"timestamp":["2021-09-14T20:08:07.599Z"]},"highlight":{"data.win.eventdata.processId":["@kibana-highlighted-field@7152@/kibana-highlighted-field@"]},"sort":[1631650087599]}

Adding value

{"_index":"wazuh-archives-4.x-2021.09.14","_type":"_doc","_id":"XH_s5XsBp_s9Frc2iSPB","_version":1,"_score":null,"_source":{"agent":{"ip":"192.168.0.121","name":"hrmanager","id":"013"},"manager":{"name":"localhost2.localdomain"},"data":{"win":{"eventdata":{"image":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","targetObject":"HKU\\\\S-1-5-21-887924094-598891991-956377308-1146_Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)","processGuid":"{4dc16835-0124-6141-fb02-000000006500}","processId":"7152","utcTime":"2021-09-14 20:08:06.921","details":"cmd.exe /C C:\\\\Users\\\\kmitnick.FINANCIAL\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\smrs.exe &gt; C:\\\\Users\\\\kmitnick.financial\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\MGsCOxPSNK.txt","eventType":"SetValue"},"system":{"eventID":"13","keywords":"0x8000000000000000","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","level":"4","channel":"Microsoft-Windows-Sysmon/Operational","opcode":"0","message":"\"Registry value set:\r\nRuleName: -\r\nEventType: SetValue\r\nUtcTime: 2021-09-14 20:08:06.921\r\nProcessGuid: {4dc16835-0124-6141-fb02-000000006500}\r\nProcessId: 7152\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nTargetObject: HKU\\S-1-5-21-887924094-598891991-956377308-1146_Classes\\ms-settings\\shell\\open\\command\\(Default)\r\nDetails: cmd.exe /C C:\\Users\\kmitnick.FINANCIAL\\AppData\\Roaming\\TransbaseOdbcDriver\\smrs.exe > C:\\Users\\kmitnick.financial\\AppData\\Roaming\\TransbaseOdbcDriver\\MGsCOxPSNK.txt\"","version":"2","systemTime":"2021-09-14T20:08:06.9235444Z","eventRecordID":"360356","threadID":"3756","computer":"hrmanager.ExchangeTest.com","task":"13","processID":"2664","severityValue":"INFORMATION","providerName":"Microsoft-Windows-Sysmon"}}},"decoder":{"name":"windows_eventchannel"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"13\",\"version\":\"2\",\"level\":\"4\",\"task\":\"13\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-09-14T20:08:06.9235444Z\",\"eventRecordID\":\"360356\",\"processID\":\"2664\",\"threadID\":\"3756\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"hrmanager.ExchangeTest.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry value set:\\r\\nRuleName: -\\r\\nEventType: SetValue\\r\\nUtcTime: 2021-09-14 20:08:06.921\\r\\nProcessGuid: {4dc16835-0124-6141-fb02-000000006500}\\r\\nProcessId: 7152\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nTargetObject: HKU\\\\S-1-5-21-887924094-598891991-956377308-1146_Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)\\r\\nDetails: cmd.exe /C C:\\\\Users\\\\kmitnick.FINANCIAL\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\smrs.exe > C:\\\\Users\\\\kmitnick.financial\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\MGsCOxPSNK.txt\\\"\"},\"eventdata\":{\"eventType\":\"SetValue\",\"utcTime\":\"2021-09-14 20:08:06.921\",\"processGuid\":\"{4dc16835-0124-6141-fb02-000000006500}\",\"processId\":\"7152\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"targetObject\":\"HKU\\\\\\\\S-1-5-21-887924094-598891991-956377308-1146_Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\\\\\\(Default)\",\"details\":\"cmd.exe /C C:\\\\\\\\Users\\\\\\\\kmitnick.FINANCIAL\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\TransbaseOdbcDriver\\\\\\\\smrs.exe &gt; C:\\\\\\\\Users\\\\\\\\kmitnick.financial\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\TransbaseOdbcDriver\\\\\\\\MGsCOxPSNK.txt\"}}}","input":{"type":"log"},"@timestamp":"2021-09-14T20:08:07.621Z","location":"EventChannel","id":"1631650087.1001913","timestamp":"2021-09-14T17:08:07.621-0300"},"fields":{"@timestamp":["2021-09-14T20:08:07.621Z"],"timestamp":["2021-09-14T20:08:07.621Z"]},"highlight":{"data.win.eventdata.processId":["@kibana-highlighted-field@7152@/kibana-highlighted-field@"]},"sort":[1631650087621]}

Originally posted by @fabamatic in https://github.com/wazuh/wazuh/issues/9064#issuecomment-919482290

cytoscape / py4cytoscape

4.B.4 - powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty #134