Techniques
Sample rules
Dumping of Sensitive Hives Via Reg.EXE
- source: sigma
- technicques:
- t1003
- t1003.002
- t1003.004
- t1003.005
Description
Detects the usage of “reg.exe” in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
Detection logic
condition: all of selection_*
selection_cli_flag:
CommandLine|contains:
- ' save '
- ' export '
- " \u02E2ave "
- " e\u02E3port "
selection_cli_hive:
CommandLine|contains:
- \system
- \sam
- \security
- "\\\u02E2ystem"
- "\\sy\u02E2tem"
- "\\\u02E2y\u02E2tem"
- "\\\u02E2am"
- "\\\u02E2ecurity"
selection_cli_hklm:
CommandLine|contains:
- hklm
- "hk\u02EAm"
- hkey_local_machine
- "hkey_\u02EAocal_machine"
- "hkey_loca\u02EA_machine"
- "hkey_\u02EAoca\u02EA_machine"
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
Exports Critical Registry Keys To a File
- source: sigma
- technicques:
- t1012
Description
Detects the export of a crital Registry key to a file.
Detection logic
condition: all of selection_*
selection_cli_1:
CommandLine|contains|windash: ' -E '
selection_cli_2:
CommandLine|contains:
- hklm
- hkey_local_machine
selection_cli_3:
CommandLine|endswith:
- \system
- \sam
- \security
selection_img:
- Image|endswith: \regedit.exe
- OriginalFileName: REGEDIT.EXE