Service Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
Sigma rule (View on GitHub)
1title: Service Registry Key Deleted Via Reg.EXE
2id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5
3status: test
4description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
5references:
6 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/01
9modified: 2023/02/04
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: 'reg.exe'
19 - OriginalFileName: 'reg.exe'
20 selection_delete:
21 CommandLine|contains: ' delete '
22 selection_key:
23 # Add specific services if you would like the rule to be more specific
24 CommandLine|contains: '\SYSTEM\CurrentControlSet\services\'
25 condition: all of selection_*
26falsepositives:
27 - Unlikely
28level: high
References
Related rules
- HackTool - PowerTool Execution
- Powershell Base64 Encoded MpPreference Cmdlet
- SafeBoot Registry Key Deleted Via Reg.EXE
- Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
- Load Of RstrtMgr.DLL By A Suspicious Process