sigmahighHunting

SafeBoot Registry Key Deleted Via Reg.EXE

Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

MITRE ATT&CK

T1562.001

defense-evasion

Detection Query

selection_img:
  - Image|endswith: reg.exe
  - OriginalFileName: reg.exe
selection_delete:
  CommandLine|contains|all:
    - " delete "
    - \SYSTEM\CurrentControlSet\Control\SafeBoot
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems), Tim Shelton

Created

2022-08-08

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

Tags

attack.defense-evasionattack.t1562.001

Raw Content

title: SafeBoot Registry Key Deleted Via Reg.EXE
id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
related:
    - id: d7662ff6-9e97-4596-a61d-9839e32dee8d
      type: similar
status: test
description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
references:
    - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-08-08
modified: 2023-02-04
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: 'reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_delete:
        CommandLine|contains|all:
            - ' delete '
            - '\SYSTEM\CurrentControlSet\Control\SafeBoot'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high