Uncommon File Created By RegEdit.EXE

Rule Info

Name
Uncommon File Created By RegEdit.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the creation files with an uncommon extension by the RegEdit.EXE process. By default the "RegEdit.exe" process would allow for the export of keys via the GUI as either ".reg", ".txt" or "hives". By excluding known extensions, we can hunt for anomalous ones created by "RegEdit.exe" that covers cases such as when a user might choose to print or save a key as a PDF file in order to extract sensitive information and potentially bypass defenses.
Reference
Internal Research
Date
2024-07-10 00:00:00
Modified
None
Id
c8d41f89-9153-43b2-91f3-45e20239fba9
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022