Regedit as Trusted Installer

calendar Oct 23, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1548  ·
Share on: linkedin copy

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

Sigma rule (View on GitHub)

 1title: Regedit as Trusted Installer
 2id: 883835a7-df45-43e4-bf1d-4268768afda4
 3status: test
 4description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
 5references:
 6    - https://twitter.com/1kwpeter/status/1397816101455765504
 7author: Florian Roth (Nextron Systems)
 8date: 2021-05-27
 9modified: 2022-10-09
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1548
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\regedit.exe'
20        ParentImage|endswith:
21            - '\TrustedInstaller.exe'
22            - '\ProcessHacker.exe'
23    condition: selection
24falsepositives:
25    - Unlikely
26level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top