Reg Add Suspicious Paths

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1112 attack.t1562.001  ·
Share on: linkedin copy

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

Sigma rule (View on GitHub)

 1title: Reg Add Suspicious Paths
 2id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
 3status: test
 4description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 7    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
 8    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
 9author: frack113, Nasreddine Bencherchali (Nextron Systems)
10date: 2022-08-19
11modified: 2022-10-10
12tags:
13    - attack.persistence
14    - attack.defense-evasion
15    - attack.t1112
16    - attack.t1562.001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_reg:
22        - Image|endswith: '\reg.exe'
23        - OriginalFileName: 'reg.exe'
24    selection_path:
25        CommandLine|contains:
26            # Add more suspicious registry locations below
27            - '\AppDataLow\Software\Microsoft\'
28            - '\Policies\Microsoft\Windows\OOBE'
29            - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
30            - '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
31            - '\CurrentControlSet\Control\SecurityProviders\WDigest'
32            - '\Microsoft\Windows Defender\'
33    condition: all of selection_*
34falsepositives:
35    - Rare legitimate add to registry via cli (to these locations)
36level: high

References

Related rules

to-top