Potential Configuration And Service Reconnaissance Via Reg.EXE
Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
Sigma rule (View on GitHub)
1title: Potential Configuration And Service Reconnaissance Via Reg.EXE
2id: 970007b7-ce32-49d0-a4a4-fbef016950bd
3status: test
4description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
7author: Timur Zinniatullin, oscd.community
8date: 2019-10-21
9modified: 2023-02-05
10tags:
11 - attack.discovery
12 - attack.t1012
13 - attack.t1007
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\reg.exe'
20 - OriginalFileName: 'reg.exe'
21 selection_flag:
22 CommandLine|contains: 'query'
23 selection_key:
24 CommandLine|contains:
25 - 'currentVersion\windows'
26 - 'winlogon\'
27 - 'currentVersion\shellServiceObjectDelayLoad'
28 - 'currentVersion\run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce"
29 - 'currentVersion\policies\explorer\run'
30 - 'currentcontrolset\services'
31 condition: all of selection_*
32falsepositives:
33 - Discord
34level: medium
References
Related rules
- Azure AD Health Monitoring Agent Registry Keys Access
- Azure AD Health Service Agents Registry Keys Access
- Crontab Enumeration
- Operation Wocao Activity
- Operation Wocao Activity - Security