Regedit as Trusted Installer

Aug 12, 2024 · attack.privilege-escalation attack.t1548 ·

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

Sigma rule (View on GitHub)

 1title: Regedit as Trusted Installer
 2id: 883835a7-df45-43e4-bf1d-4268768afda4
 3status: test
 4description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
 5references:
 6    - https://twitter.com/1kwpeter/status/1397816101455765504
 7author: Florian Roth (Nextron Systems)
 8date: 2021-05-27
 9modified: 2022-10-09
10tags:
11    - attack.privilege-escalation
12    - attack.t1548
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\regedit.exe'
19        ParentImage|endswith:
20            - '\TrustedInstaller.exe'
21            - '\ProcessHacker.exe'
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

x.com

Read More

Related rules

AWS STS AssumeRole Misuse
AWS STS GetSessionToken Misuse
AWS Suspicious SAML Activity
Abused Debug Privilege by Arbitrary Parent Processes
COM Hijack via Sdclt

Regedit as Trusted Installer

Sigma rule (View on GitHub)

References

x.com

Related rules