Potential Suspicious Registry File Imported Via Reg.EXE
Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
Sigma rule (View on GitHub)
1title: Potential Suspicious Registry File Imported Via Reg.EXE
2id: 62e0298b-e994-4189-bc87-bc699aa62d97
3related:
4 - id: 73bba97f-a82d-42ce-b315-9182e76c57b1
5 type: derived
6status: test
7description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
8references:
9 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
10author: frack113, Nasreddine Bencherchali
11date: 2022/08/01
12modified: 2023/02/05
13tags:
14 - attack.t1112
15 - attack.defense_evasion
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\reg.exe'
22 - OriginalFileName: 'reg.exe'
23 selection_cli:
24 CommandLine|contains: ' import '
25 selection_paths:
26 CommandLine|contains:
27 - 'C:\Users\'
28 - '%temp%'
29 - '%tmp%'
30 - '%appdata%'
31 - '\AppData\Local\Temp\'
32 - 'C:\Windows\Temp\'
33 - 'C:\ProgramData\'
34 condition: all of selection_*
35falsepositives:
36 - Legitimate import of keys
37level: medium
References
-
Reference article for the reg import command, which copies the contents of a file that contains exported registry subkeys, entries, and values into the registry of the local computer.
Read More
Related rules
- Potential NetWire RAT Activity - Registry
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Registry Modification Via Regini.EXE
- Suspicious Registry Modification From ADS Via Regini.EXE
- Enable LM Hash Storage - ProcCreation