Potential Persistence Attempt Via Run Keys Using Reg.EXE

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1547.001  ·
Share on: linkedin copy

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

Sigma rule (View on GitHub)

 1title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
 2id: de587dce-915e-4218-aac4-835ca6af6f70
 3status: test
 4description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
 5references:
 6    - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
 7    - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
 8    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
 9author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2021-06-28
11modified: 2025-02-17
12tags:
13    - attack.privilege-escalation
14    - attack.persistence
15    - attack.t1547.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\reg.exe'
22        CommandLine|contains|all:
23            - 'reg'
24            - ' add '
25        CommandLine|contains:
26            - 'Software\Microsoft\Windows\CurrentVersion\Run'
27            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
28            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
29    condition: selection
30falsepositives:
31    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
32    - Legitimate administrator sets up autorun keys for legitimate reasons.
33    - Discord
34level: medium

References

Related rules

to-top