PDF File Created By RegEdit.EXE

calendar Aug 12, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.

Sigma rule (View on GitHub)

 1title: PDF File Created By RegEdit.EXE
 2id: 145095eb-e273-443b-83d0-f9b519b7867b
 3status: experimental
 4description: |
 5    Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process.
 6    This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.    
 7references:
 8    - https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-07-08
11tags:
12    - attack.defense-evasion
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\regedit.exe'
19        TargetFilename|endswith: '.pdf'
20    condition: selection
21falsepositives:
22    - Unlikely
23level: high

References

Related rules

to-top