rare legitimate add to registry via cli (to these locations)

t1112
t1562
t1562.001
windows
sigma

Techniques

t1112
t1562
t1562.001

Sample rules

Reg Add Suspicious Paths

source: sigma
technicques:
- t1112
- t1562
- t1562.001

Description

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

Detection logic

condition: all of selection_*
selection_path:
  CommandLine|contains:
  - \AppDataLow\Software\Microsoft\
  - \Policies\Microsoft\Windows\OOBE
  - \Policies\Microsoft\Windows NT\CurrentVersion\Winlogon
  - \SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
  - \CurrentControlSet\Control\SecurityProviders\WDigest
  - \Microsoft\Windows Defender\
selection_reg:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe