Techniques
Sample rules
Access To .Reg/.Hive Files By Uncommon Application
- source: sigma
- technicques:
- t1112
Description
Detects file access requests to files ending with either the “.hive”/".reg" extension, usually associated with Windows Registry backups.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
Image|contains:
- :\Program Files (x86)\
- :\Program Files\
- :\Windows\System32\
- :\Windows\SysWOW64\
selection:
FileName|endswith:
- .hive
- .reg