LoFP LoFP / dumping hives for legitimate purpouse i.e. backup or forensic investigation

Techniques

Sample rules

Exports Critical Registry Keys To a File

Description

Detects the export of a crital Registry key to a file.

Detection logic

condition: all of selection_*
selection_cli_1:
  CommandLine|contains|windash: ' -E '
selection_cli_2:
  CommandLine|contains:
  - hklm
  - hkey_local_machine
selection_cli_3:
  CommandLine|endswith:
  - \system
  - \sam
  - \security
selection_img:
- Image|endswith: \regedit.exe
- OriginalFileName: REGEDIT.EXE

Dumping of Sensitive Hives Via Reg.EXE

Description

Detects the usage of “reg.exe” in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

Detection logic

condition: all of selection_*
selection_cli_flag:
  CommandLine|contains:
  - ' save '
  - ' export '
  - " \u02E2ave "
  - " e\u02E3port "
selection_cli_hive:
  CommandLine|contains:
  - \system
  - \sam
  - \security
  - "\\\u02E2ystem"
  - "\\sy\u02E2tem"
  - "\\\u02E2y\u02E2tem"
  - "\\\u02E2am"
  - "\\\u02E2ecurity"
selection_cli_hklm:
  CommandLine|contains:
  - hklm
  - "hk\u02EAm"
  - hkey_local_machine
  - "hkey_\u02EAocal_machine"
  - "hkey_loca\u02EA_machine"
  - "hkey_\u02EAoca\u02EA_machine"
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe