Imports Registry Key From an ADS
Detects the import of a alternate datastream to the registry with regedit.exe.
Sigma rule (View on GitHub)
1title: Imports Registry Key From an ADS
2id: 0b80ade5-6997-4b1d-99a1-71701778ea61
3related:
4 - id: 73bba97f-a82d-42ce-b315-9182e76c57b1
5 type: similar
6status: test
7description: Detects the import of a alternate datastream to the registry with regedit.exe.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
10 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11author: Oddvar Moe, Sander Wiebing, oscd.community
12date: 2020-10-12
13modified: 2024-03-13
14tags:
15 - attack.persistence
16 - attack.t1112
17 - attack.defense-evasion
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\regedit.exe'
24 - OriginalFileName: 'REGEDIT.EXE'
25 selection_cli:
26 CommandLine|contains:
27 - ' /i '
28 - '.reg'
29 CommandLine|re: ':[^ \\]'
30 filter:
31 CommandLine|contains|windash:
32 - ' -e '
33 - ' -a '
34 - ' -c '
35 condition: all of selection_* and not filter
36fields:
37 - ParentImage
38 - CommandLine
39falsepositives:
40 - Unknown
41level: high
References
-
Regedit.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird