Printing Activity Initiated Via RegEdit.EXE

Rule Info

Name
Printing Activity Initiated Via RegEdit.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the creation of a file with an ".SPL" by the "RegEdit.exe" process which might indicate the start of a print acitvity. This could be an indicator that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
Reference
https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
Date
2024-07-10 00:00:00
Modified
None
Id
0d5562ea-df46-4d64-b6e0-883c7652c6b7
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022