Sigma rules for Reg
32 rules · scoped to tool · back to Reg
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: User Shell Folders Registry Modification via CommandLine
id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
related:
- id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
type: similar
status: experimental
description: |
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
references:
- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1547.001
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'reg.exe'
selection_cli_action:
CommandLine|contains:
- ' add ' # reg.exe modification
- 'New-ItemProperty'
- 'Set-ItemProperty'
- 'si ' # short for Set-ItemProperty
selection_cli_paths_root:
CommandLine|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
selection_cli_paths_suffix:
CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
condition: all of selection_*
falsepositives:
- Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
simulation:
- type: atomic-red-team
name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
technique: T1547.001
atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b
title: Reg Add Suspicious Paths
id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
status: test
description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2022-10-10
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_reg:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_path:
CommandLine|contains:
# Add more suspicious registry locations below
- '\AppDataLow\Software\Microsoft\'
- '\Policies\Microsoft\Windows\OOBE'
- '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
- '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
- '\CurrentControlSet\Control\SecurityProviders\WDigest'
- '\Microsoft\Windows Defender\'
condition: all of selection_*
falsepositives:
- Rare legitimate add to registry via cli (to these locations)
level: high
title: Dumping of Sensitive Hives Via Reg.EXE
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
related:
- id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
type: obsolete
- id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
type: obsolete
status: test
description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
date: 2019-10-22
modified: 2023-12-13
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- car.2013-07-001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_flag:
CommandLine|contains:
- ' save '
- ' export '
- ' ˢave '
- ' eˣport '
selection_cli_hklm:
CommandLine|contains:
- 'hklm'
- 'hk˪m'
- 'hkey_local_machine'
- 'hkey_˪ocal_machine'
- 'hkey_loca˪_machine'
- 'hkey_˪oca˪_machine'
selection_cli_hive:
CommandLine|contains:
- '\system'
- '\sam'
- '\security'
- '\ˢystem'
- '\syˢtem'
- '\ˢyˢtem'
- '\ˢam'
- '\ˢecurity'
condition: all of selection_*
falsepositives:
- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high
title: Add SafeBoot Keys Via Reg Utility
id: d7662ff6-9e97-4596-a61d-9839e32dee8d
related:
- id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
type: similar
status: test
description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
references:
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2024-03-19
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_safeboot:
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
selection_flag:
CommandLine|contains:
- ' copy '
- ' add '
condition: all of selection*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml
title: Windows Defender Context Menu Removed
id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
related:
- id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
type: similar
status: experimental
description: |
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
references:
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_action:
CommandLine|contains:
- 'del'
- 'Remove-Item'
- 'ri '
selection_reg_path:
CommandLine|contains: '\shellex\ContextMenuHandlers\EPP'
condition: all of selection_*
falsepositives:
- May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.
level: high
title: Suspicious Autorun Registry Modified via WMI
id: c80e66d8-1780-48a9-b412-46663fd21ac0
status: experimental
description: |
Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
references:
- Internal Research
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1547.001
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_execution_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe' # wmic process call create 'reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktops /t REG_SZ /d "\"C:\Users\user\AppData\Roaming\Microsoft\tre\Desktops.exe\" random" /f'
- ParentImage|endswith: '\wmiprvse.exe'
selection_execution_cmd:
CommandLine|contains|all:
- 'reg'
- ' add '
CommandLine|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
selection_suspicious_paths_1:
CommandLine|contains:
- ':\Perflogs'
- :\ProgramData'
- ':\Windows\Temp'
- ':\Temp'
- '\AppData\Local\Temp'
- '\AppData\Roaming'
- ':\$Recycle.bin'
- ':\Users\Default'
- ':\Users\public'
- '%temp%'
- '%tmp%'
- '%Public%'
- '%AppData%'
selection_suspicious_paths_user_1:
CommandLine|contains: ':\Users\'
selection_suspicious_paths_user_2:
CommandLine|contains:
- '\Favorites'
- '\Favourites'
- '\Contacts'
- '\Music'
- '\Pictures'
- '\Documents'
- '\Photos'
condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*))
falsepositives:
- Legitimate administrative activity or software installations
level: high
title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
id: 452bce90-6fb0-43cc-97a5-affc283139b3
status: test
description: |
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
- https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
- https://tria.ge/241231-j9yatstqbm/behavioral1
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-22
modified: 2025-06-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_root_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_root_path:
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\'
- 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
- 'SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_0:
CommandLine|contains|all:
- ' add '
- 'd 0'
CommandLine|contains:
- 'DisallowExploitProtectionOverride'
- 'EnableControlledFolderAccess'
- 'MpEnablePus'
- 'PUAProtection'
- 'SpynetReporting'
- 'SubmitSamplesConsent'
- 'TamperProtection'
selection_dword_1:
CommandLine|contains|all:
- ' add '
- 'd 1'
CommandLine|contains:
- 'DisableAccess'
- 'DisableAntiSpyware'
- 'DisableAntiSpywareRealtimeProtection'
- 'DisableAntiVirus'
- 'DisableAntiVirusSignatures'
- 'DisableArchiveScanning'
- 'DisableBehaviorMonitoring'
- 'DisableBlockAtFirstSeen'
- 'DisableCloudProtection'
- 'DisableConfig'
- 'DisableEnhancedNotifications'
- 'DisableIntrusionPreventionSystem'
- 'DisableIOAVProtection'
- 'DisableNetworkProtection'
- 'DisableOnAccessProtection'
- 'DisablePrivacyMode'
- 'DisableRealtimeMonitoring'
- 'DisableRoutinelyTakingAction'
- 'DisableScanOnRealtimeEnable'
- 'DisableScriptScanning'
- 'DisableSecurityCenter'
- 'Notification_Suppress'
- 'SignatureDisableUpdateOnStartupWithoutEngine'
condition: all of selection_root_* and 1 of selection_dword_*
falsepositives:
- Rare legitimate use by administrators to test software (should always be investigated)
level: high
title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
related:
- id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
type: similar
status: experimental
description: |
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
references:
- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_cli:
CommandLine|contains:
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si ' # SetItem Alias
selection_cli_base:
CommandLine|contains: '\DeviceGuard'
selection_cli_key:
CommandLine|contains:
- 'EnableVirtualizationBasedSecurity'
- 'HypervisorEnforcedCodeIntegrity'
condition: all of selection_*
falsepositives:
- Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml
simulation:
- type: atomic-red-team
name: Disable Hypervisor-Enforced Code Integrity (HVCI)
technique: T1562.001
atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
title: Disabling Windows Defender WMI Autologger Session via Reg.exe
id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
references:
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
author: Matt Anderson (Huntress)
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_path:
CommandLine|contains:
- '\Control\WMI\Autologger\DefenderApiLogger\Start'
- '\Control\WMI\Autologger\DefenderAuditLogger\Start'
selection_reg_add:
CommandLine|contains|all:
- 'add'
- '0'
filter_main_enable:
CommandLine|contains: '0x00000001'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Highly unlikely
level: high
title: Security Service Disabled Via Reg.EXE
id: 5e95028c-5229-4214-afae-d653d573d0ec
status: test
description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
references:
- https://twitter.com/JohnLaTwC/status/1415295021041979392
- https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1
- https://vms.drweb.fr/virus/?i=24144899
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
date: 2021-07-14
modified: 2023-06-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_reg_add:
CommandLine|contains|all:
- 'reg'
- 'add'
selection_cli_reg_start:
CommandLine|contains|all:
- 'd 4'
- 'v Start'
CommandLine|contains:
- '\AppIDSvc'
- '\MsMpSvc'
- '\NisSrv'
- '\SecurityHealthService'
- '\Sense'
- '\UsoSvc'
- '\WdBoot'
- '\WdFilter'
- '\WdNisDrv'
- '\WdNisSvc'
- '\WinDefend'
- '\wscsvc'
- '\wuauserv'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: SafeBoot Registry Key Deleted Via Reg.EXE
id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
related:
- id: d7662ff6-9e97-4596-a61d-9839e32dee8d
type: similar
status: test
description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
references:
- https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-08-08
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: 'reg.exe'
- OriginalFileName: 'reg.exe'
selection_delete:
CommandLine|contains|all:
- ' delete '
- '\SYSTEM\CurrentControlSet\Control\SafeBoot'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Windows AMSI Related Registry Tampering Via CommandLine
id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
related:
- id: aa37cbb0-da36-42cb-a90f-fdf216fc7467 # AMSI Disabled via Registry Modification
type: similar
status: experimental
description: |
Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.
AMSI provides a generic interface for applications and services to integrate with antimalware products.
Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
references:
- https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_key:
CommandLine|contains|all:
- '\Software\Microsoft\Windows Script\Settings'
- 'AmsiEnable'
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cmd:
CommandLine|contains: 'add'
selection_powershell_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_powershell_cmd:
CommandLine|contains:
- 'Set-ItemProperty'
- 'New-ItemProperty'
- 'sp '
condition: selection_key and (all of selection_powershell_* or all of selection_reg_*)
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Create AMSIEnable Reg Key
technique: T1562.001
atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
title: Registry Export of Third-Party Credentials
id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
related:
- id: 87a476dc-0079-4583-a985-dee7a20a03de
type: similar
status: experimental
description: |
Detects the use of reg.exe to export registry paths associated with third-party credentials.
Credential stealers have been known to use this technique to extract sensitive information from the registry.
references:
- https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_save:
CommandLine|contains:
- 'save'
- 'export'
selection_cli_path:
CommandLine|contains:
- '\Software\Aerofox\Foxmail\V3.1'
- '\Software\Aerofox\FoxmailPreview'
- '\Software\DownloadManager\Passwords'
- '\Software\FTPWare\COREFTP\Sites'
- '\Software\IncrediMail\Identities'
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
- '\Software\Mobatek\MobaXterm'
- '\Software\OpenSSH\Agent\Keys'
- '\Software\OpenVPN-GUI\configs'
- '\Software\ORL\WinVNC3\Password'
- '\Software\Qualcomm\Eudora\CommandLine'
- '\Software\RealVNC\WinVNC4'
- '\Software\RimArts\B2\Settings'
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\SimonTatham\PuTTY\SshHostKeys'
- '\Software\Sota\FFFTP'
- '\Software\TightVNC\Server'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: test
description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- https://blog.sekoia.io/darkgate-internals/
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
date: 2022-02-12
modified: 2025-11-22
tags:
- attack.persistence
- attack.lateral-movement
- attack.defense-impairment
- attack.t1021.001
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection_main_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_main_cli:
CommandLine|contains|all:
- ' add '
- '\CurrentControlSet\Control\Terminal Server'
- 'REG_DWORD'
- ' /f'
selection_values_1:
CommandLine|contains|all:
- 'Licensing Core'
- 'EnableConcurrentSessions'
selection_values_2:
CommandLine|contains:
- 'AllowTSConnections'
- 'fDenyTSConnections'
- 'fEnableWinStation'
- 'fSingleSessionPerUser'
- 'IdleWinStationPoolCount'
- 'MaxInstanceCount'
- 'SecurityLayer'
- 'TSAdvertise'
- 'TSAppCompat'
- 'TSEnabled'
- 'TSUserEnabled'
- 'WinStations\RDP-Tcp'
filter_main_values_tls:
CommandLine|contains|all:
- 'SecurityLayer'
- '02' # TLS Enabled
condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Service Registry Key Deleted Via Reg.EXE
id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5
status: test
description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
references:
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: 'reg.exe'
- OriginalFileName: 'reg.exe'
selection_delete:
CommandLine|contains: ' delete '
selection_key:
# Add specific services if you would like the rule to be more specific
CommandLine|contains: '\SYSTEM\CurrentControlSet\services\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
id: 22154f0e-5132-4a54-aa78-cc62f6def531
related:
- id: d526c60a-e236-4011-b165-831ffa52ab70
type: similar
status: experimental
description: |
Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE.
The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers.
Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors
to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
references:
- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_cli_1:
CommandLine|contains:
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si ' # SetItem Alias
selection_cli_2:
CommandLine|contains|all:
- '\Control\CI\Config'
- 'VulnerableDriverBlocklistEnable'
condition: all of selection_*
falsepositives:
- It is very unlikely for legitimate activities to disable the Vulnerable Driver Blocklist via command line tools; thus it is recommended to investigate promptly.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/info.yml
title: Windows Credential Guard Registry Tampering Via CommandLine
id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
related:
- id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
type: similar
- id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
type: similar
status: experimental
description: |
Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.
Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
references:
- https://woshub.com/disable-credential-guard-windows/
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_cli:
CommandLine|contains:
# add/modify
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si ' # SetItem Alias
# delete
- 'delete '
- 'del '
- 'Remove-ItemProperty '
- 'rp '
selection_key_base:
CommandLine|contains:
- '\Control\DeviceGuard'
- '\Control\LSA'
- 'Software\Policies\Microsoft\Windows\DeviceGuard'
selection_key_specific:
CommandLine|contains:
- 'EnableVirtualizationBasedSecurity'
- 'RequirePlatformSecurityFeatures'
- 'LsaCfgFlags'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml
title: Suspicious Reg Add BitLocker
id: 0e0255bf-2548-47b8-9582-c0955c9283f5
status: test
description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
references:
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
author: frack113
date: 2021-11-15
modified: 2022-09-09
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'REG'
- 'ADD'
- '\SOFTWARE\Policies\Microsoft\FVE'
- '/v'
- '/f'
CommandLine|contains:
- 'EnableBDEWithNoTPM'
- 'UseAdvancedStartup'
- 'UseTPM'
- 'UseTPMKey'
- 'UseTPMKeyPIN'
- 'RecoveryKeyMessageSource'
- 'UseTPMPIN'
- 'RecoveryKeyMessage'
condition: selection
falsepositives:
- Unlikely
level: high
title: Registry Modification Attempt Via VBScript - PowerShell
id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
related:
- id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
type: similar
- id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
type: similar
status: experimental
description: |
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands.
Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools.
This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.
references:
- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
- https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- attack.t1059.005
logsource:
category: ps_script
product: windows
detection:
selection:
ScriptBlockText|contains|all:
- 'CreateObject'
- 'Wscript.shell'
- '.RegWrite'
condition: selection
falsepositives:
- Some legitimate admin or install scripts may use these processes for registry modifications.
level: medium
title: Potential Suspicious Registry File Imported Via Reg.EXE
id: 62e0298b-e994-4189-bc87-bc699aa62d97
related:
- id: 73bba97f-a82d-42ce-b315-9182e76c57b1
type: derived
status: test
description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
author: frack113, Nasreddine Bencherchali
date: 2022-08-01
modified: 2023-02-05
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains: ' import '
selection_paths:
CommandLine|contains:
- 'C:\Users\'
- '%temp%'
- '%tmp%'
- '%appdata%'
- '\AppData\Local\Temp\'
- 'C:\Windows\Temp\'
- 'C:\ProgramData\'
condition: all of selection_*
falsepositives:
- Legitimate import of keys
level: medium
title: Registry Manipulation via WMI Stdregprov
id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a
status: experimental
description: |
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.
This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
references:
- https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
- https://trustedsec.com/blog/command-line-underdog-wmic-in-action
- https://trustedsec.com/blog/wmi-for-script-kiddies
author: Daniel Koifman (KoifSec)
date: 2025-07-30
tags:
- attack.persistence
- attack.execution
- attack.discovery
- attack.defense-impairment
- attack.t1047
- attack.t1112
- attack.t1012
logsource:
category: process_creation
product: windows
detection:
selection_img: # Example command simulated: WMIC /NameSpace:\\root\default Class StdRegProv Call CreateKey sSubKeyName=""SOFTWARE\Policies\DeleteMe""
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- 'call'
- 'stdregprov'
condition: all of selection_*
falsepositives:
- Legitimate administrative activity
level: medium
title: Potential Configuration And Service Reconnaissance Via Reg.EXE
id: 970007b7-ce32-49d0-a4a4-fbef016950bd
status: test
description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-02-05
tags:
- attack.discovery
- attack.t1012
- attack.t1007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_flag:
CommandLine|contains: 'query'
selection_key:
CommandLine|contains:
- 'currentVersion\windows'
- 'winlogon\'
- 'currentVersion\shellServiceObjectDelayLoad'
- 'currentVersion\run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce"
- 'currentVersion\policies\explorer\run'
- 'currentcontrolset\services'
condition: all of selection_*
falsepositives:
- Discord
level: medium
title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
id: 48917adc-a28e-4f5d-b729-11e75da8941f
status: test
description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
author: frack113
date: 2022-02-13
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
- 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
CommandLine|contains|all:
- 'ADD '
- '/t '
- 'REG_DWORD '
- '/v '
- '/d '
- '0'
condition: selection
falsepositives:
- Legitimate use
level: medium
title: Windows Recall Feature Enabled Via Reg.EXE
id: 817f252c-5143-4dae-b418-48c3e9f63728
related:
- id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
type: similar
- id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation.
Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_value:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
CommandLine|contains|all:
- 'Microsoft\Windows\WindowsAI'
- 'DisableAIDataAnalysis'
selection_action_add:
CommandLine|contains:
- 'add'
- '0'
selection_action_delete:
CommandLine|contains: 'delete'
condition: selection_img and selection_value and 1 of selection_action_*
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
title: Suspicious ScreenSave Change by Reg.exe
id: 0fc35fc3-efe6-4898-8a37-0b233339524f
status: test
description: |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: frack113
date: 2021-08-19
modified: 2022-06-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.002
logsource:
category: process_creation
product: windows
detection:
selection_reg:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'HKEY_CURRENT_USER\Control Panel\Desktop'
- 'HKCU\Control Panel\Desktop'
selection_option_1: # /force Active ScreenSaveActive
CommandLine|contains|all:
- '/v ScreenSaveActive'
- '/t REG_SZ'
- '/d 1'
- '/f'
selection_option_2: # /force set ScreenSaveTimeout
CommandLine|contains|all:
- '/v ScreenSaveTimeout'
- '/t REG_SZ'
- '/d '
- '/f'
selection_option_3: # /force set ScreenSaverIsSecure
CommandLine|contains|all:
- '/v ScreenSaverIsSecure'
- '/t REG_SZ'
- '/d 0'
- '/f'
selection_option_4: # /force set a .scr
CommandLine|contains|all:
- '/v SCRNSAVE.EXE'
- '/t REG_SZ'
- '/d '
- '.scr'
- '/f'
condition: selection_reg and 1 of selection_option_*
falsepositives:
- GPO
level: medium
title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
id: de587dce-915e-4218-aac4-835ca6af6f70
status: test
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
references:
- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-06-28
modified: 2025-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- 'reg'
- ' add '
CommandLine|contains:
- 'Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
condition: selection
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
- Discord
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml
title: System Language Discovery via Reg.Exe
id: c43a5405-e8e1-4221-9ac9-dbe3fa14e886
status: experimental
description: |
Detects the usage of Reg.Exe to query system language settings.
Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,
or avoid targeting certain locales to evade detection.
references:
- https://scythe.io/threat-thursday/threatthursday-darkside-ransomware
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-09
tags:
- attack.discovery
- attack.t1614.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains|all:
- 'query'
- 'Control\Nls\Language'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/info.yml
simulation:
- type: atomic-red-team
name: Discover System Language by Registry Query
technique: T1614.001
atomic_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be
title: Potentially Suspicious Desktop Background Change Using Reg.EXE
id: 8cbc9475-8d05-4e27-9c32-df960716c701
related:
- id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
type: similar
status: test
description: |
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
- https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
- attack.t1112
- attack.t1491.001
logsource:
product: windows
category: process_creation
detection:
# TODO: Improve this to also focus on variation using PowerShell and other CLI tools
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_flag:
CommandLine|contains: 'add'
selection_keys:
CommandLine|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_cli_reg_1:
CommandLine|contains|all:
- '/v NoChangingWallpaper'
- '/d 1' # Prevent changing desktop background
selection_cli_reg_2:
CommandLine|contains|all:
- '/v Wallpaper'
- '/t REG_SZ'
selection_cli_reg_3:
CommandLine|contains|all:
- '/v WallpaperStyle'
- '/d 2' # Stretch
condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
falsepositives:
- Administrative scripts that change the desktop background to a company logo or other image.
level: medium
title: Registry Modification Attempt Via VBScript
id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
related:
- id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
type: similar
- id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
type: similar
status: experimental
description: |
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs.
It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.
Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
references:
- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'CreateObject'
- 'Wscript.shell'
- '.RegWrite'
condition: selection
falsepositives:
- Unknown
level: medium
title: Direct Autorun Keys Modification
id: 24357373-078f-44ed-9ac4-6d334a668a11
status: test
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-10-25
modified: 2026-01-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_add:
CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
selection_cli_keys:
CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys
- '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
- '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
- '\software\Microsoft\Windows NT\CurrentVersion\Windows'
- '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
condition: all of selection_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
- Discord
level: medium
title: Changing Existing Service ImagePath Value Via Reg.EXE
id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
status: test
description: |
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
author: frack113
date: 2021-12-30
modified: 2024-03-13
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- 'add '
- 'SYSTEM\CurrentControlSet\Services\'
- ' ImagePath '
selection_value:
CommandLine|contains|windash: ' -d '
condition: all of selection*
falsepositives:
- Unknown
level: medium
title: Registry Tampering by Potentially Suspicious Processes
id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
related:
- id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
type: similar
- id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
type: similar
status: experimental
description: |
Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.
These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry
without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.
references:
- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-13
modified: 2026-04-14
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- attack.t1059.005
logsource:
category: registry_event
product: windows
detection:
selection:
Image|endswith:
# Add more suspicious processes
- '\mshta.exe'
- '\wscript.exe'
- '\cscript.exe'
filter_main_binary_data:
Details: 'Binary Data'
filter_main_null:
Details: null
filter_main_wscript_legit_1:
Image|endswith: '\wscript.exe'
TargetObject|contains:
- 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\'
- '\Services\bam\State\UserSettings\S-1-'
- 'Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\'
- 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\'
filter_main_wscript_legit_2:
Image|endswith: '\wscript.exe'
TargetObject|contains: '\wscript.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some legitimate admin or install scripts may use these processes for registry modifications.
level: medium