Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Sigma rule (View on GitHub)
1title: Add SafeBoot Keys Via Reg Utility
2id: d7662ff6-9e97-4596-a61d-9839e32dee8d
3related:
4 - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
5 type: similar
6status: test
7description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
8references:
9 - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-02
12modified: 2024-03-19
13tags:
14 - attack.defense-evasion
15 - attack.t1562.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\reg.exe'
22 - OriginalFileName: 'reg.exe'
23 selection_safeboot:
24 CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
25 selection_flag:
26 CommandLine|contains:
27 - ' copy '
28 - ' add '
29 condition: all of selection*
30falsepositives:
31 - Unlikely
32level: high
33regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml
References
-
[redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. Learn how their cyber defense team responded.
Read More
Related rules
- Dism Remove Online Package
- Hypervisor Enforced Code Integrity Disabled
- Removal Of AMSI Provider Registry Keys
- Cisco Disabling Logging
- Windows Defender Definition Files Removed