Exports Registry Key To a File

Detects the export of the target Registry key to a file.

Sigma rule (View on GitHub)

 1title: Exports Registry Key To a File
 2id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
 3related:
 4    - id: 82880171-b475-4201-b811-e9c826cd5eaa
 5      type: similar
 6status: test
 7description: Detects the export of the target Registry key to a file.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11author: Oddvar Moe, Sander Wiebing, oscd.community
12date: 2020-10-07
13modified: 2024-03-13
14tags:
15    - attack.exfiltration
16    - attack.t1012
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\regedit.exe'
23        - OriginalFileName: 'REGEDIT.EXE'
24    selection_cli:
25        CommandLine|contains|windash: ' -E '
26    filter_1:   # filters to avoid intersection with critical keys rule
27        CommandLine|contains:
28            - 'hklm'
29            - 'hkey_local_machine'
30    filter_2:
31        CommandLine|endswith:
32            - '\system'
33            - '\sam'
34            - '\security'
35    condition: all of selection_* and not all of filter_*
36fields:
37    - ParentImage
38    - CommandLine
39falsepositives:
40    - Legitimate export of keys
41level: low

References

Related rules

to-top