sigmahighHunting

Add SafeBoot Keys Via Reg Utility

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

MITRE ATT&CK

T1685

Detection Query

selection_img:
  - Image|endswith: \reg.exe
  - OriginalFileName: reg.exe
selection_safeboot:
  CommandLine|contains: \SYSTEM\CurrentControlSet\Control\SafeBoot
selection_flag:
  CommandLine|contains:
    - " copy "
    - " add "
condition: all of selection*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-09-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

Tags

attack.defense-impairmentattack.t1685

Raw Content

title: Add SafeBoot Keys Via Reg Utility
id: d7662ff6-9e97-4596-a61d-9839e32dee8d
related:
    - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
      type: similar
status: test
description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
references:
    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2024-03-19
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_safeboot:
        CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
    selection_flag:
        CommandLine|contains:
            - ' copy '
            - ' add '
    condition: all of selection*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml