Techniques
Sample rules
Potential Persistence Attempt Via Run Keys Using Reg.EXE
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- reg
- ' ADD '
- Software\Microsoft\Windows\CurrentVersion\Run
Direct Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Detection logic
condition: all of selection_*
selection_1:
CommandLine|contains: add
Image|endswith: \reg.exe
selection_2:
CommandLine|contains:
- \software\Microsoft\Windows\CurrentVersion\Run
- \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- \software\Microsoft\Windows NT\CurrentVersion\Windows
- \software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- \system\CurrentControlSet\Control\SafeBoot\AlternateShell
Potential Configuration And Service Reconnaissance Via Reg.EXE
- source: sigma
- technicques:
- t1007
- t1012
Description
Detects the usage of “reg.exe” in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
Detection logic
condition: all of selection_*
selection_flag:
CommandLine|contains: query
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_key:
CommandLine|contains:
- currentVersion\windows
- winlogon\
- currentVersion\shellServiceObjectDelayLoad
- currentVersion\run
- currentVersion\policies\explorer\run
- currentcontrolset\services