Exports Critical Registry Keys To a File

Severity: high
Author: Oddvar Moe, Sander Wiebing, oscd.community
Source: upstream

Detects the export of a crital Registry key to a file.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1012` Query Registry

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\regedit.exe'
OriginalFileName: REGEDIT.EXE

Stage 2: `all of selection_cli_1`

CommandLine|contains: ' -E '

Stage 3: `all of selection_cli_2`

or:
CommandLine|contains: hkey_local_machine
CommandLine|contains: hklm

Stage 4: `all of selection_cli_3`

or:
CommandLine|endswith: '\sam'
CommandLine|endswith: '\security'
CommandLine|endswith: '\system'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	ends_with	`\sam` corpus 2 (sigma 2) `\security` corpus 2 (sigma 2) `\system` corpus 2 (sigma 2)
`CommandLine`	match	`-E` corpus 2 (sigma 2) `hkey_local_machine` corpus 3 (sigma 3) `hklm` corpus 3 (sigma 3)
`Image`	ends_with	`\regedit.exe` corpus 8 (sigma 8)
`OriginalFileName`	eq	`REGEDIT.EXE` corpus 4 (sigma 4)

Neighbors

Equivalent rules

1 other rule has the same matching logic as this one. Useful for cross-vendor comparison or picking the variant your stack supports. See eq_0007.