Potential Suspicious Registry File Imported Via Reg.EXE

calendar Oct 23, 2025 · attack.persistence attack.t1112 attack.defense-evasion  ·
Share on: linkedin copy

Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility

Sigma rule (View on GitHub)

 1title: Potential Suspicious Registry File Imported Via Reg.EXE
 2id: 62e0298b-e994-4189-bc87-bc699aa62d97
 3related:
 4    - id: 73bba97f-a82d-42ce-b315-9182e76c57b1
 5      type: derived
 6status: test
 7description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
 8references:
 9    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
10author: frack113, Nasreddine Bencherchali
11date: 2022-08-01
12modified: 2023-02-05
13tags:
14    - attack.persistence
15    - attack.t1112
16    - attack.defense-evasion
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\reg.exe'
23        - OriginalFileName: 'reg.exe'
24    selection_cli:
25        CommandLine|contains: ' import '
26    selection_paths:
27        CommandLine|contains:
28            - 'C:\Users\'
29            - '%temp%'
30            - '%tmp%'
31            - '%appdata%'
32            - '\AppData\Local\Temp\'
33            - 'C:\Windows\Temp\'
34            - 'C:\ProgramData\'
35    condition: all of selection_*
36falsepositives:
37    - Legitimate import of keys
38level: medium

References

  • reg import

    Reference article for the reg import command, which copies the contents of a file that contains exported registry subkeys, entries, and values into the registry of the local computer.


    Read More

Related rules

to-top