Exports Critical Registry Keys To a File

 1title: Exports Critical Registry Keys To a File
 2id: 82880171-b475-4201-b811-e9c826cd5eaa
 3related:
 4    - id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
 5      type: similar
 6status: test
 7description: Detects the export of a crital Registry key to a file.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11author: Oddvar Moe, Sander Wiebing, oscd.community
12date: 2020-10-12
13modified: 2024-03-13
14tags:
15    - attack.exfiltration
16    - attack.t1012
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\regedit.exe'
23        - OriginalFileName: 'REGEDIT.EXE'
24    selection_cli_1:
25        CommandLine|contains|windash: ' -E '
26    selection_cli_2:
27        CommandLine|contains:
28            - 'hklm'
29            - 'hkey_local_machine'
30    selection_cli_3:
31        CommandLine|endswith:
32            - '\system'
33            - '\sam'
34            - '\security'
35    condition: all of selection_*
36fields:
37    - ParentImage
38    - CommandLine
39falsepositives:
40    - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
41level: high

References

• Regedit on LOLBAS

  

  Regedit.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Execute from Alternate Streams

  

  Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• Exports Registry Key To a File
• APT40 Dropbox Tool User Agent
• AWS EC2 VM Export Failure
• AWS RDS Master Password Change
• AWS S3 Data Management Tampering