SafeBoot Registry Key Deleted Via Reg.EXE

Apr 28, 2026 · attack.defense-impairment attack.t1685 ·

Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

Sigma rule (View on GitHub)

 1title: SafeBoot Registry Key Deleted Via Reg.EXE
 2id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
 3related:
 4    - id: d7662ff6-9e97-4596-a61d-9839e32dee8d
 5      type: similar
 6status: test
 7description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
 8references:
 9    - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
10author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
11date: 2022-08-08
12modified: 2023-02-04
13tags:
14    - attack.defense-impairment
15    - attack.t1685
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: 'reg.exe'
22        - OriginalFileName: 'reg.exe'
23    selection_delete:
24        CommandLine|contains|all:
25            - ' delete '
26            - '\SYSTEM\CurrentControlSet\Control\SafeBoot'
27    condition: all of selection_*
28falsepositives:
29    - Unlikely
30level: high

References

https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

Read More

SafeBoot Registry Key Deleted Via Reg.EXE

Sigma rule (View on GitHub)

References

https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

Related rules