Techniques
Sample rules
Imports Registry Key From a File
- source: sigma
- technicques:
- t1112
Description
Detects the import of the specified file to the registry with regedit.exe.
Detection logic
condition: all of selection_* and not all of filter_*
filter_1:
CommandLine|contains|windash:
- ' -e '
- ' -a '
- ' -c '
filter_2:
CommandLine|re: :[^ \\]
selection_cli:
CommandLine|contains:
- ' /i '
- ' /s '
- .reg
selection_img:
- Image|endswith: \regedit.exe
- OriginalFileName: REGEDIT.EXE