Imports Registry Key From a File
Detects the import of the specified file to the registry with regedit.exe.
Sigma rule (View on GitHub)
1title: Imports Registry Key From a File
2id: 73bba97f-a82d-42ce-b315-9182e76c57b1
3related:
4 - id: 0b80ade5-6997-4b1d-99a1-71701778ea61
5 type: similar
6status: test
7description: Detects the import of the specified file to the registry with regedit.exe.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
10 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11author: Oddvar Moe, Sander Wiebing, oscd.community
12date: 2020/10/07
13modified: 2024/03/13
14tags:
15 - attack.t1112
16 - attack.defense_evasion
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith: '\regedit.exe'
23 - OriginalFileName: 'REGEDIT.EXE'
24 selection_cli:
25 CommandLine|contains:
26 - ' /i '
27 - ' /s '
28 - '.reg'
29 filter_1:
30 CommandLine|contains|windash:
31 - ' -e '
32 - ' -a '
33 - ' -c '
34 filter_2:
35 CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
36 condition: all of selection_* and not all of filter_*
37fields:
38 - ParentImage
39 - CommandLine
40falsepositives:
41 - Legitimate import of keys
42 - Evernote
43level: medium
References
Related rules
- Imports Registry Key From an ADS
- Enable WDigest using PowerShell
- Enabling RDP service via reg.exe command execution
- RDP Sensitive Settings Changed
- RDP Sensitive Settings Changed to Zero