Threat Huntlowtest
Access To .Reg/.Hive Files By Uncommon Applications
Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
Windowsfile_access
ProductWindows← raw: windows
Categoryfile_access← raw: file_access
Definition
Requirements: Microsoft-Windows-Kernel-File ETW provider
Detection Logic
Detection Logic2 selectors
detection:
selection:
FileName|endswith:
- '.hive'
- '.reg'
filter_main_generic:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_main_*False Positives
Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required.
References
MITRE ATT&CK
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
337a31c6-46c4-46be-886a-260d7aa78cac
Status
test
Level
low
Type
Threat Hunt
Created
Fri Sep 15
Modified
Mon Jul 29
Author
Path
rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml
Raw Tags
attack.t1112attack.defense-evasionattack.persistencedetection.threat-hunting