SafeBoot Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
Sigma rule (View on GitHub)
1title: SafeBoot Registry Key Deleted Via Reg.EXE
2id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
3related:
4 - id: d7662ff6-9e97-4596-a61d-9839e32dee8d
5 type: similar
6status: test
7description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
8references:
9 - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
10author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
11date: 2022/08/08
12modified: 2023/02/04
13tags:
14 - attack.defense_evasion
15 - attack.t1562.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: 'reg.exe'
22 - OriginalFileName: 'reg.exe'
23 selection_delete:
24 CommandLine|contains|all:
25 - ' delete '
26 - '\SYSTEM\CurrentControlSet\Control\SafeBoot'
27 condition: all of selection_*
28falsepositives:
29 - Unlikely
30level: high
References
Related rules
- HackTool - PowerTool Execution
- Powershell Base64 Encoded MpPreference Cmdlet
- Service Registry Key Deleted Via Reg.EXE
- Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
- Load Of RstrtMgr.DLL By A Suspicious Process