Access To .Reg/.Hive Files By Uncommon Application
Detects file access requests to files ending with either the ".hive"/".reg" extension, usally associated with Windows Registry backups.
Sigma rule (View on GitHub)
1title: Access To .Reg/.Hive Files By Uncommon Application
2id: 337a31c6-46c4-46be-886a-260d7aa78cac
3status: experimental
4description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usally associated with Windows Registry backups.
5references:
6 - https://github.com/tccontre/Reg-Restore-Persistence-Mole
7author: frack113
8date: 2023/09/15
9tags:
10 - attack.t1112
11 - attack.defense_evasion
12logsource:
13 category: file_access
14 product: windows
15 definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
16detection:
17 selection:
18 FileName|endswith:
19 - '.hive'
20 - '.reg'
21 filter_main_generic:
22 Image|contains:
23 - ':\Program Files (x86)\'
24 - ':\Program Files\'
25 - ':\Windows\System32\'
26 - ':\Windows\SysWOW64\'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required.
30level: low
References
-
a short C code POC to gain persistence and evade sysmon event code registry (creation, update and deletion) REG_NOTIFY_CLASS Registry Callback of sysmon driver filter. RegSaveKeyExW() and RegRestor...
Read More
Related rules
- New BgInfo.EXE Custom DB Path Registry Configuration
- New BgInfo.EXE Custom VBScript Registry Configuration
- New BgInfo.EXE Custom WMI Query Registry Configuration
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry