Techniques
Sample rules
Potential Persistence Attempt Via Run Keys Using Reg.EXE
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- reg
- ' ADD '
- Software\Microsoft\Windows\CurrentVersion\Run
Direct Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Detection logic
condition: all of selection_*
selection_1:
CommandLine|contains: add
Image|endswith: \reg.exe
selection_2:
CommandLine|contains:
- \software\Microsoft\Windows\CurrentVersion\Run
- \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- \software\Microsoft\Windows NT\CurrentVersion\Windows
- \software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- \system\CurrentControlSet\Control\SafeBoot\AlternateShell