Potential Persistence Attempt Via Run Keys Using Reg.EXE

calendar May 12, 2025 · attack.persistence attack.t1547.001  ·
Share on: linkedin copy

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

Sigma rule (View on GitHub)

 1title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
 2id: de587dce-915e-4218-aac4-835ca6af6f70
 3status: test
 4description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
 5references:
 6    - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
 7    - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
 8    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
 9author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2021-06-28
11modified: 2025-02-17
12tags:
13    - attack.persistence
14    - attack.t1547.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\reg.exe'
21        CommandLine|contains|all:
22            - 'reg'
23            - ' add '
24        CommandLine|contains:
25            - 'Software\Microsoft\Windows\CurrentVersion\Run'
26            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
27            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
28    condition: selection
29falsepositives:
30    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
31    - Legitimate administrator sets up autorun keys for legitimate reasons.
32    - Discord
33level: medium

References

Related rules

to-top