New BgInfo.EXE Custom DB Path Registry Configuration
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
Sigma rule (View on GitHub)
1title: New BgInfo.EXE Custom DB Path Registry Configuration
2id: 53330955-dc52-487f-a3a2-da24dcff99b5
3status: test
4description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-08-16
9tags:
10 - attack.defense-evasion
11 - attack.t1112
12logsource:
13 category: registry_set
14 product: windows
15detection:
16 selection:
17 TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
18 condition: selection
19falsepositives:
20 - Legitimate use of external DB to save the results
21level: medium
References
Related rules
- New BgInfo.EXE Custom VBScript Registry Configuration
- New BgInfo.EXE Custom WMI Query Registry Configuration
- Windows Event Log Access Tampering Via Registry
- Removal of Potential COM Hijacking Registry Keys
- Modification of IE Registry Settings