Imports Registry Key From a File
Detects the import of the specified file to the registry with regedit.exe.
Sigma rule (View on GitHub)
1title: Imports Registry Key From a File
2id: 73bba97f-a82d-42ce-b315-9182e76c57b1
3related:
4 - id: 0b80ade5-6997-4b1d-99a1-71701778ea61
5 type: similar
6status: test
7description: Detects the import of the specified file to the registry with regedit.exe.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
10 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11author: Oddvar Moe, Sander Wiebing, oscd.community
12date: 2020-10-07
13modified: 2024-03-13
14tags:
15 - attack.persistence
16 - attack.t1112
17 - attack.defense-evasion
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\regedit.exe'
24 - OriginalFileName: 'REGEDIT.EXE'
25 selection_cli:
26 CommandLine|contains:
27 - ' /i '
28 - ' /s '
29 - '.reg'
30 filter_1:
31 CommandLine|contains|windash:
32 - ' -e '
33 - ' -a '
34 - ' -c '
35 filter_2:
36 CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
37 condition: all of selection_* and not all of filter_*
38fields:
39 - ParentImage
40 - CommandLine
41falsepositives:
42 - Legitimate import of keys
43 - Evernote
44level: medium
References
-
Regedit.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird