Potential Configuration And Service Reconnaissance Via Reg.EXE

calendar Oct 4, 2023 · attack.discovery attack.t1012 attack.t1007  ·
Share on: linkedin copy

Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.

Sigma rule (View on GitHub)

 1title: Potential Configuration And Service Reconnaissance Via Reg.EXE
 2id: 970007b7-ce32-49d0-a4a4-fbef016950bd
 3status: test
 4description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
 7author: Timur Zinniatullin, oscd.community
 8date: 2019/10/21
 9modified: 2023/02/05
10tags:
11    - attack.discovery
12    - attack.t1012
13    - attack.t1007
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\reg.exe'
20        - OriginalFileName: 'reg.exe'
21    selection_flag:
22        CommandLine|contains: 'query'
23    selection_key:
24        CommandLine|contains:
25            - 'currentVersion\windows'
26            - 'winlogon\'
27            - 'currentVersion\shellServiceObjectDelayLoad'
28            - 'currentVersion\run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce"
29            - 'currentVersion\policies\explorer\run'
30            - 'currentcontrolset\services'
31    condition: all of selection_*
32falsepositives:
33    - Discord
34level: medium

References

Related rules

to-top