Reg Add Suspicious Paths

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

Sigma rule (View on GitHub)

 1title: Reg Add Suspicious Paths
 2id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
 3status: test
 4description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 7    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
 8    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
 9author: frack113, Nasreddine Bencherchali (Nextron Systems)
10date: 2022/08/19
11modified: 2022/10/10
12tags:
13    - attack.defense_evasion
14    - attack.t1112
15    - attack.t1562.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_reg:
21        - Image|endswith: '\reg.exe'
22        - OriginalFileName: 'reg.exe'
23    selection_path:
24        CommandLine|contains:
25            # Add more suspicious registry locations below
26            - '\AppDataLow\Software\Microsoft\'
27            - '\Policies\Microsoft\Windows\OOBE'
28            - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
29            - '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
30            - '\CurrentControlSet\Control\SecurityProviders\WDigest'
31            - '\Microsoft\Windows Defender\'
32    condition: all of selection_*
33falsepositives:
34    - Rare legitimate add to registry via cli (to these locations)
35level: high

References

Related rules

to-top