Detectionhightest

PDF File Created By RegEdit.EXE

Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Mon Jul 08145095eb-e273-443b-83d0-f9b519b7867bwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith: '\regedit.exe'
        TargetFilename|endswith: '.pdf'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

sensepost.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Rule Metadata

Rule ID

145095eb-e273-443b-83d0-f9b519b7867b

Status

test

Level

high

Type

Detection

Created

Mon Jul 08

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml

Raw Tags

attack.defense-evasion

View on GitHub