Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Sigma rule (View on GitHub)
1title: Add SafeBoot Keys Via Reg Utility
2id: d7662ff6-9e97-4596-a61d-9839e32dee8d
3related:
4 - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
5 type: similar
6status: test
7description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
8references:
9 - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/09/02
12modified: 2024/03/19
13tags:
14 - attack.defense_evasion
15 - attack.t1562.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\reg.exe'
22 - OriginalFileName: 'reg.exe'
23 selection_safeboot:
24 CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
25 selection_flag:
26 CommandLine|contains:
27 - ' copy '
28 - ' add '
29 condition: all of selection*
30falsepositives:
31 - Unlikely
32level: high
References
Related rules
- Sysmon Driver Altitude Change
- Windows Defender Service Disabled - Registry
- Sysmon Configuration Update
- Uninstall Sysinternals Sysmon
- Github Push Protection Bypass Detected