sigmahighHunting

Service Registry Key Deleted Via Reg.EXE

Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services

MITRE ATT&CK

T1562.001

defense-evasion

Detection Query

selection_img:
  - Image|endswith: reg.exe
  - OriginalFileName: reg.exe
selection_delete:
  CommandLine|contains: " delete "
selection_key:
  CommandLine|contains: \SYSTEM\CurrentControlSet\services\
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-01

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465

Tags

attack.defense-evasionattack.t1562.001

Raw Content

title: Service Registry Key Deleted Via Reg.EXE
id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5
status: test
description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
references:
    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-02-04
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: 'reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_delete:
        CommandLine|contains: ' delete '
    selection_key:
        # Add specific services if you would like the rule to be more specific
        CommandLine|contains: '\SYSTEM\CurrentControlSet\services\'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high