New BgInfo.EXE Custom DB Path Registry Configuration
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
Sigma rule (View on GitHub)
1title: New BgInfo.EXE Custom DB Path Registry Configuration
2id: 53330955-dc52-487f-a3a2-da24dcff99b5
3status: test
4description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-08-16
9tags:
10 - attack.defense-evasion
11 - attack.t1112
12logsource:
13 category: registry_set
14 product: windows
15detection:
16 selection:
17 EventType: SetValue
18 TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
19 condition: selection
20falsepositives:
21 - Legitimate use of external DB to save the results
22level: medium
References
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry