Potential Configuration And Service Reconnaissance Via Reg.EXE
Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
Sigma rule (View on GitHub)
1title: Potential Configuration And Service Reconnaissance Via Reg.EXE
2id: 970007b7-ce32-49d0-a4a4-fbef016950bd
3status: test
4description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
7author: Timur Zinniatullin, oscd.community
8date: 2019/10/21
9modified: 2023/02/05
10tags:
11 - attack.discovery
12 - attack.t1012
13 - attack.t1007
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\reg.exe'
20 - OriginalFileName: 'reg.exe'
21 selection_flag:
22 CommandLine|contains: 'query'
23 selection_key:
24 CommandLine|contains:
25 - 'currentVersion\windows'
26 - 'winlogon\'
27 - 'currentVersion\shellServiceObjectDelayLoad'
28 - 'currentVersion\run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce"
29 - 'currentVersion\policies\explorer\run'
30 - 'currentcontrolset\services'
31 condition: all of selection_*
32falsepositives:
33 - Discord
34level: medium
References
Related rules
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- ESXi System Information Discovery Via ESXCLI
- ESXi VM List Discovery Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI