New BgInfo.EXE Custom DB Path Registry Configuration
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
Sigma rule (View on GitHub)
1title: New BgInfo.EXE Custom DB Path Registry Configuration
2id: 53330955-dc52-487f-a3a2-da24dcff99b5
3status: experimental
4description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/08/16
9tags:
10 - attack.defense_evasion
11 - attack.t1112
12logsource:
13 category: registry_set
14 product: windows
15detection:
16 selection:
17 EventType: SetValue
18 TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
19 condition: selection
20falsepositives:
21 - Legitimate use of external DB to save the results
22level: medium
References
Related rules
- New BgInfo.EXE Custom VBScript Registry Configuration
- New BgInfo.EXE Custom WMI Query Registry Configuration
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature