Imports Registry Key From a File

Detects the import of the specified file to the registry with regedit.exe.

Sigma rule (View on GitHub)

 1title: Imports Registry Key From a File
 2id: 73bba97f-a82d-42ce-b315-9182e76c57b1
 3related:
 4    - id: 0b80ade5-6997-4b1d-99a1-71701778ea61
 5      type: similar
 6status: test
 7description: Detects the import of the specified file to the registry with regedit.exe.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11author: Oddvar Moe, Sander Wiebing, oscd.community
12date: 2020-10-07
13modified: 2024-03-13
14tags:
15    - attack.t1112
16    - attack.defense-evasion
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\regedit.exe'
23        - OriginalFileName: 'REGEDIT.EXE'
24    selection_cli:
25        CommandLine|contains:
26            - ' /i '
27            - ' /s '
28            - '.reg'
29    filter_1:
30        CommandLine|contains|windash:
31            - ' -e '
32            - ' -a '
33            - ' -c '
34    filter_2:
35        CommandLine|re: ':[^ \\]'     # to avoid intersection with ADS rule
36    condition: all of selection_* and not all of filter_*
37fields:
38    - ParentImage
39    - CommandLine
40falsepositives:
41    - Legitimate import of keys
42    - Evernote
43level: medium

References

Related rules

to-top