Detectionhightest
Dumping of Sensitive Hives Via Reg.EXE
Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, François HubautCreated Tue Oct 22Updated Wed Dec 13fd877b94-9bb5-4191-bb25-d79cbd93c167windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_flag:
CommandLine|contains:
- ' save '
- ' export '
- ' ˢave '
- ' eˣport '
selection_cli_hklm:
CommandLine|contains:
- 'hklm'
- 'hk˪m'
- 'hkey_local_machine'
- 'hkey_˪ocal_machine'
- 'hkey_loca˪_machine'
- 'hkey_˪oca˪_machine'
selection_cli_hive:
CommandLine|contains:
- '\system'
- '\sam'
- '\security'
- '\ˢystem'
- '\syˢtem'
- '\ˢyˢtem'
- '\ˢam'
- '\ˢecurity'
condition: all of selection_*False Positives
Dumping hives for legitimate purpouse i.e. backup or forensic investigation
MITRE ATT&CK
Tactics
Sub-techniques
CAR Analytics
2013-07-001 · CAR 2013-07-001
Related Rules
Similar
Rule not found038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
Similar
Rule not found4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
Rule Metadata
Rule ID
fd877b94-9bb5-4191-bb25-d79cbd93c167
Status
test
Level
high
Type
Detection
Created
Tue Oct 22
Modified
Wed Dec 13
Author
Path
rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml
Raw Tags
attack.credential-accessattack.t1003.002attack.t1003.004attack.t1003.005car.2013-07-001