New BgInfo.EXE Custom DB Path Registry Configuration

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

Sigma rule (View on GitHub)

 1title: New BgInfo.EXE Custom DB Path Registry Configuration
 2id: 53330955-dc52-487f-a3a2-da24dcff99b5
 3status: test
 4description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-08-16
 9tags:
10    - attack.defense-evasion
11    - attack.t1112
12logsource:
13    category: registry_set
14    product: windows
15detection:
16    selection:
17        EventType: SetValue
18        TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
19    condition: selection
20falsepositives:
21    - Legitimate use of external DB to save the results
22level: medium

References

Related rules

to-top