detection.wiki

Detection rules › Sigma

Potential Suspicious Registry File Imported Via Reg.EXE

Severity
medium
Author
frack113, Nasreddine Bencherchali
Source
upstream

Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1112 Modify Registry
Defense EvasionT1112 Modify Registry

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\reg.exe'
OriginalFileName: reg.exe

Stage 2: all of selection_cli

CommandLine|contains: ' import '

Stage 3: all of selection_paths

or:
CommandLine|contains: '%appdata%'
CommandLine|contains: '%temp%'
CommandLine|contains: '%tmp%'
CommandLine|contains: 'C:\ProgramData\'
CommandLine|contains: 'C:\Users\'
CommandLine|contains: 'C:\Windows\Temp\'
CommandLine|contains: '\AppData\Local\Temp\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • import
  • %appdata% corpus 4 (sigma 4)
  • %temp% corpus 5 (sigma 5)
  • %tmp% corpus 9 (sigma 9)
  • C:\ProgramData\ corpus 6 (sigma 6)
  • C:\Users\ corpus 5 (sigma 5)
  • C:\Windows\Temp\ corpus 4 (sigma 4)
  • \AppData\Local\Temp\ corpus 16 (sigma 16)
Imageends_with
  • \reg.exe corpus 46 (sigma 46)
OriginalFileNameeq
  • reg.exe corpus 29 (sigma 29)