Service Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
Sigma rule (View on GitHub)
1title: Service Registry Key Deleted Via Reg.EXE
2id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5
3status: test
4description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
5references:
6 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-01
9modified: 2023-02-04
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: 'reg.exe'
19 - OriginalFileName: 'reg.exe'
20 selection_delete:
21 CommandLine|contains: ' delete '
22 selection_key:
23 # Add specific services if you would like the rule to be more specific
24 CommandLine|contains: '\SYSTEM\CurrentControlSet\services\'
25 condition: all of selection_*
26falsepositives:
27 - Unlikely
28level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility