Exports Registry Key To a File

 1title: Exports Registry Key To a File
 2id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
 3related:
 4    - id: 82880171-b475-4201-b811-e9c826cd5eaa
 5      type: similar
 6status: test
 7description: Detects the export of the target Registry key to a file.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11author: Oddvar Moe, Sander Wiebing, oscd.community
12date: 2020-10-07
13modified: 2024-03-13
14tags:
15    - attack.exfiltration
16    - attack.discovery
17    - attack.t1012
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\regedit.exe'
24        - OriginalFileName: 'REGEDIT.EXE'
25    selection_cli:
26        CommandLine|contains|windash: ' -E '
27    filter_1:   # filters to avoid intersection with critical keys rule
28        CommandLine|contains:
29            - 'hklm'
30            - 'hkey_local_machine'
31    filter_2:
32        CommandLine|endswith:
33            - '\system'
34            - '\sam'
35            - '\security'
36    condition: all of selection_* and not all of filter_*
37fields:
38    - ParentImage
39    - CommandLine
40falsepositives:
41    - Legitimate export of keys
42level: low

References

• Regedit on LOLBAS

  

  Regedit.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Execute from Alternate Streams

  

  Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• Exports Critical Registry Keys To a File
• HackTool - PCHunter Execution
• Active Directory Structure Export Via Csvde.EXE
• Azure AD Health Monitoring Agent Registry Keys Access
• Azure AD Health Service Agents Registry Keys Access