SafeBoot Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
Sigma rule (View on GitHub)
1title: SafeBoot Registry Key Deleted Via Reg.EXE
2id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
3related:
4 - id: d7662ff6-9e97-4596-a61d-9839e32dee8d
5 type: similar
6status: test
7description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
8references:
9 - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
10author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
11date: 2022-08-08
12modified: 2023-02-04
13tags:
14 - attack.defense-evasion
15 - attack.t1562.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: 'reg.exe'
22 - OriginalFileName: 'reg.exe'
23 selection_delete:
24 CommandLine|contains|all:
25 - ' delete '
26 - '\SYSTEM\CurrentControlSet\Control\SafeBoot'
27 condition: all of selection_*
28falsepositives:
29 - Unlikely
30level: high
References
-
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility