sigmahighHunting

Add SafeBoot Keys Via Reg Utility

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

MITRE ATT&CK

T1562.001

defense-evasion

Detection Query

selection_img:
  - Image|endswith: \reg.exe
  - OriginalFileName: reg.exe
selection_safeboot:
  CommandLine|contains: \SYSTEM\CurrentControlSet\Control\SafeBoot
selection_flag:
  CommandLine|contains:
    - " copy "
    - " add "
condition: all of selection*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-09-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

Tags

attack.defense-evasionattack.t1562.001

Raw Content

title: Add SafeBoot Keys Via Reg Utility
id: d7662ff6-9e97-4596-a61d-9839e32dee8d
related:
    - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
      type: similar
status: test
description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
references:
    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2024-03-19
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_safeboot:
        CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
    selection_flag:
        CommandLine|contains:
            - ' copy '
            - ' add '
    condition: all of selection*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml