Home/CVE-2019-11644/Sigma rules
Sigma

Sigma rules for CVE-2019-11644

1 rules · scoped to cve · back to CVE-2019-11644
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

1 of 1
direct high
Registry Persistence via Service in Safe Mode
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
status test author frack113 id 1547e27c-3974-43e2-a7d7-7f484fb928ec license Sigma · DRL-1.1
view Sigma YAML 
title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
status: test
description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
author: frack113
date: 2022-04-04
modified: 2025-10-22
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Control\SafeBoot\Minimal\'
            - '\Control\SafeBoot\Network\'
        TargetObject|endswith: '\(Default)'
        Details: 'Service'
    filter_optional_sophos:
        Image: 'C:\WINDOWS\system32\msiexec.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\SAVService\(Default)'
            - '\Control\SafeBoot\Network\SAVService\(Default)'
    filter_optional_mbamservice:
        Image|endswith: '\MBAMInstallerService.exe'
        TargetObject|endswith: '\MBAMService\(Default)'
        Details: 'Service'
    filter_optional_hexnode:
        Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
        Details: 'Service'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
simulation:
    - type: atomic-red-team
      name: Windows Add Registry Value to Load Service in Safe Mode without Network
      technique: T1112
      atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
    - type: atomic-red-team
      name: Windows Add Registry Value to Load Service in Safe Mode with Network
      technique: T1112
      atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin