← Back to Explore
sigmamediumHunting
Potential Suspicious Registry File Imported Via Reg.EXE
Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
Detection Query
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_cli:
CommandLine|contains: " import "
selection_paths:
CommandLine|contains:
- C:\Users\
- "%temp%"
- "%tmp%"
- "%appdata%"
- \AppData\Local\Temp\
- C:\Windows\Temp\
- C:\ProgramData\
condition: all of selection_*
Author
frack113, Nasreddine Bencherchali
Created
2022-08-01
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.persistenceattack.t1112attack.defense-evasion
Raw Content
title: Potential Suspicious Registry File Imported Via Reg.EXE
id: 62e0298b-e994-4189-bc87-bc699aa62d97
related:
- id: 73bba97f-a82d-42ce-b315-9182e76c57b1
type: derived
status: test
description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
author: frack113, Nasreddine Bencherchali
date: 2022-08-01
modified: 2023-02-05
tags:
- attack.persistence
- attack.t1112
- attack.defense-evasion
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains: ' import '
selection_paths:
CommandLine|contains:
- 'C:\Users\'
- '%temp%'
- '%tmp%'
- '%appdata%'
- '\AppData\Local\Temp\'
- 'C:\Windows\Temp\'
- 'C:\ProgramData\'
condition: all of selection_*
falsepositives:
- Legitimate import of keys
level: medium