Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Sigma rule (View on GitHub)
1title: Add SafeBoot Keys Via Reg Utility
2id: d7662ff6-9e97-4596-a61d-9839e32dee8d
3related:
4 - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
5 type: similar
6status: test
7description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
8references:
9 - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-02
12modified: 2024-03-19
13tags:
14 - attack.defense-impairment
15 - attack.t1685
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\reg.exe'
22 - OriginalFileName: 'reg.exe'
23 selection_safeboot:
24 CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
25 selection_flag:
26 CommandLine|contains:
27 - ' copy '
28 - ' add '
29 condition: all of selection*
30falsepositives:
31 - Unlikely
32level: high
33regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- AWS GuardDuty Detector Deleted Or Updated
- AWS GuardDuty Important Change