legitimate use of external db to save the results

t1112
windows
sigma

Techniques

t1112

Sample rules

New BgInfo.EXE Custom DB Path Registry Configuration

source: sigma
technicques:
- t1112

Description

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

Detection logic

condition: selection
selection:
  EventType: SetValue
  TargetObject|endswith: \Software\Winternals\BGInfo\Database