Detectionhightest

SafeBoot Registry Key Deleted Via Reg.EXE

Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems), Tim SheltonCreated Mon Aug 08Updated Sat Feb 04fc0e89b5-adb0-43c1-b749-c12a10ec37dewindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: 'reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_delete:
        CommandLine|contains|all:
            - ' delete '
            - '\SYSTEM\CurrentControlSet\Control\SafeBoot'
    condition: all of selection_*

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

trendmicro.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

SimilarDetectionhigh

Add SafeBoot Keys Via Reg Utility

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

fc0e89b5-adb0-43c1-b749-c12a10ec37de

Status

test

Level

high

Type

Detection

Created

Mon Aug 08

Modified

Sat Feb 04

Author

Nasreddine Bencherchali (Nextron Systems), Tim Shelton

Path

rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub