valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d1582944a7
SigmaHQ/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml
Florian Roth d1582944a7 fix: dates in new rules
2021-05-27 16:30:09 +02:00

19 lines
511 B
YAML
Raw Blame History

title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
description: Detects a regedit started with TrustedInstaller privileges
references:
- https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth
date: 2021/05/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
ParentImage|endswith: '\TrustedInstaller.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Reference in New Issue View Git Blame Copy Permalink