Service Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
Sigma rule (View on GitHub)
1title: Service Registry Key Deleted Via Reg.EXE
2id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5
3status: test
4description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
5references:
6 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-01
9modified: 2023-02-04
10tags:
11 - attack.defense-impairment
12 - attack.t1685
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: 'reg.exe'
19 - OriginalFileName: 'reg.exe'
20 selection_delete:
21 CommandLine|contains: ' delete '
22 selection_key:
23 # Add specific services if you would like the rule to be more specific
24 CommandLine|contains: '\SYSTEM\CurrentControlSet\services\'
25 condition: all of selection_*
26falsepositives:
27 - Unlikely
28level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- AWS GuardDuty Detector Deleted Or Updated
- AWS GuardDuty Important Change