SigmaHQ/rules/windows/process_creation/win_regedit_export_keys.yml
2020-11-30 02:08:54 +01:00

36 lines
1.0 KiB
YAML

title: Exports Registry Key To a File
id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
status: experimental
description: Detects the export of the target Registry key to a file.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
tags:
- attack.exfiltration
- attack.t1012
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020/10/07
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
CommandLine|contains: ' /E '
filter_1: # filters to avoid intersection with critical keys rule
CommandLine|contains:
- 'hklm'
- 'hkey_local_machine'
filter_2:
CommandLine|endswith:
- '\system'
- '\sam'
- '\security'
condition: selection and not (filter_1 and filter_2)
fields:
- ParentImage
- CommandLine
falsepositives:
- Legitimate export of keys
level: low