Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Sigma rule (View on GitHub)
1title: Add SafeBoot Keys Via Reg Utility
2id: d7662ff6-9e97-4596-a61d-9839e32dee8d
3related:
4 - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
5 type: similar
6status: test
7description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
8references:
9 - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-02
12modified: 2024-03-19
13tags:
14 - attack.defense-evasion
15 - attack.t1562.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\reg.exe'
22 - OriginalFileName: 'reg.exe'
23 selection_safeboot:
24 CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
25 selection_flag:
26 CommandLine|contains:
27 - ' copy '
28 - ' add '
29 condition: all of selection*
30falsepositives:
31 - Unlikely
32level: high
References
-
[redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. Learn how their cyber defense team responded.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Azure Kubernetes Events Deleted