title: Imports Registry Key From a File
id: 73bba97f-a82d-42ce-b315-9182e76c57b1
status: experimental
description: Detects the import of the specified file to the registry with regedit.exe.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
tags:
    - attack.t1112
    - attack.defense_evasion
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020/10/07
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regedit.exe'
        CommandLine|contains:
            - ' /i '
            - '.reg'
    filter:
        CommandLine|contains:
            - ' /e '
            - ' /a '
            - ' /c '
    filter_2:
        CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
    condition: selection and not filter and not filter_2
fields:
    - ParentImage
    - CommandLine
falsepositives:
    - Legitimate import of keys
level: medium