Exports Registry Key To a File
Detects the export of the target Registry key to a file.
Sigma rule (View on GitHub)
1title: Exports Registry Key To a File
2id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
3related:
4 - id: 82880171-b475-4201-b811-e9c826cd5eaa
5 type: similar
6status: test
7description: Detects the export of the target Registry key to a file.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
10 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11author: Oddvar Moe, Sander Wiebing, oscd.community
12date: 2020/10/07
13modified: 2024/03/13
14tags:
15 - attack.exfiltration
16 - attack.t1012
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith: '\regedit.exe'
23 - OriginalFileName: 'REGEDIT.EXE'
24 selection_cli:
25 CommandLine|contains|windash: ' -E '
26 filter_1: # filters to avoid intersection with critical keys rule
27 CommandLine|contains:
28 - 'hklm'
29 - 'hkey_local_machine'
30 filter_2:
31 CommandLine|endswith:
32 - '\system'
33 - '\sam'
34 - '\security'
35 condition: all of selection_* and not all of filter_*
36fields:
37 - ParentImage
38 - CommandLine
39falsepositives:
40 - Legitimate export of keys
41level: low
References
-
Import the target .REG file into the Registry. regedit C:\ads\file.txt:regfile.reg Use caseImport hidden registry data from alternate data stream Privileges requiredUser Operating systemsWindows vi...
Read More -
Related rules
- Exports Critical Registry Keys To a File
- Potential CVE-2023-23397 Exploitation Attempt - SMB
- WebDav Put Request
- OpenCanary - FTP Login Attempt
- OpenCanary - TFTP Request