Potential Configuration And Service Reconnaissance Via Reg.EXE

Severity: medium
Author: Timur Zinniatullin, oscd.community
Source: upstream

Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1007` System Service Discovery, `T1012` Query Registry

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\reg.exe'
OriginalFileName: reg.exe

Stage 2: `all of selection_flag`

CommandLine|contains: query

Stage 3: `all of selection_key`

or:
CommandLine|contains: 'currentVersion\policies\explorer\run'
CommandLine|contains: 'currentVersion\run'
CommandLine|contains: 'currentVersion\shellServiceObjectDelayLoad'
CommandLine|contains: 'currentVersion\windows'
CommandLine|contains: 'currentcontrolset\services'
CommandLine|contains: 'winlogon\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`currentVersion\policies\explorer\run` `currentVersion\run` `currentVersion\shellServiceObjectDelayLoad` `currentVersion\windows` `currentcontrolset\services` `query` corpus 6 (sigma 6) `winlogon\`
`Image`	ends_with	`\reg.exe` corpus 46 (sigma 46)
`OriginalFileName`	eq	`reg.exe` corpus 29 (sigma 29)