Detection rules › Equivalence class
eq_0007 — 2 rules with the same canonical form
Members
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1012 Query Registry |
Stages and predicates (per member)
Each member's stage rendered in its own native syntax (verbatim source where the IR captures it; falls back to the synthesised native form for the few stage types whose source segments aren't recoverable).
Exports Critical Registry Keys To a File — stage 1 all of selection_img
or:
Image|endswith: '\regedit.exe'
OriginalFileName: REGEDIT.EXE
Exports Critical Registry Keys To a File — stage 2 all of selection_cli_1
CommandLine|contains: ' -E '
Exports Critical Registry Keys To a File — stage 3 all of selection_cli_2
or:
CommandLine|contains: hkey_local_machine
CommandLine|contains: hklm
Exports Critical Registry Keys To a File — stage 4 all of selection_cli_3
or:
CommandLine|endswith: '\sam'
CommandLine|endswith: '\security'
CommandLine|endswith: '\system'
Exports Registry Key To a File — stage 5 all of selection_img
or:
Image|endswith: '\regedit.exe'
OriginalFileName: REGEDIT.EXE
Exports Registry Key To a File — stage 6 all of selection_cli
CommandLine|contains: ' -E '
Exports Registry Key To a File — stage 7 not all of filter_1
or:
CommandLine|contains: hkey_local_machine
CommandLine|contains: hklm
Exports Registry Key To a File — stage 8 not all of filter_2
or:
CommandLine|endswith: '\sam'
CommandLine|endswith: '\security'
CommandLine|endswith: '\system'
Indicators (across all members)
| Field | Kind | Value | Members | Corpus |
|---|---|---|---|---|
CommandLine | ends_with | \sam | 2 | 2 |
CommandLine | ends_with | \security | 2 | 2 |
CommandLine | ends_with | \system | 2 | 2 |
CommandLine | match | -E | 2 | 2 |
CommandLine | match | hkey_local_machine | 2 | 3 |
CommandLine | match | hklm | 2 | 3 |
Image | ends_with | \regedit.exe | 2 | 8 |
OriginalFileName | eq | REGEDIT.EXE | 2 | 4 |