Techniques
Sample rules
Periodic Backup For System Registry Hives Enabled
- source: sigma
- technicques:
- t1113
Description
Detects the enabling of the “EnablePeriodicBackup” registry value. Once enabled, The OS will backup System registry hives on restarts to the “C:\Windows\System32\config\RegBack” folder. Windows creates a “RegIdleBackup” task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of “Windows 10, version 1803”.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|endswith: \Control\Session Manager\Configuration Manager\EnablePeriodicBackup