Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
Sigma rule (View on GitHub)
1title: Reg Add Suspicious Paths
2id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
3status: test
4description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
7 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
8 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
9author: frack113, Nasreddine Bencherchali (Nextron Systems)
10date: 2022-08-19
11modified: 2022-10-10
12tags:
13 - attack.defense-evasion
14 - attack.t1112
15 - attack.t1562.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_reg:
21 - Image|endswith: '\reg.exe'
22 - OriginalFileName: 'reg.exe'
23 selection_path:
24 CommandLine|contains:
25 # Add more suspicious registry locations below
26 - '\AppDataLow\Software\Microsoft\'
27 - '\Policies\Microsoft\Windows\OOBE'
28 - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
29 - '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
30 - '\CurrentControlSet\Control\SecurityProviders\WDigest'
31 - '\Microsoft\Windows Defender\'
32 condition: all of selection_*
33falsepositives:
34 - Rare legitimate add to registry via cli (to these locations)
35level: high
References
Related rules
- Disable Security Events Logging Adding Reg Key MiniNt
- NetNTLM Downgrade Attack
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder