it's possible for system administrators to write scripts that exhibit this behavior. if this is the case, the search will need to be modified to filter them out.

Techniques

T1112

Sample rules

Suspicious Reg exe Process

source: splunk
technicques:
- T1112

Description

The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name("Processes")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| search [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name 
| `drop_dm_object_name("Processes")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rename parent_process_id as process_id 
|dedup process_id
| table process_id dest] 
| `suspicious_reg_exe_process_filter`