Reg.exe Manipulating Windows Services Registry Keys

Description

The search looks for reg.exe modifying registry keys that define Windows services and their configurations.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Malware

Alert Volume

Low (?)

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence
Privilege Escalation
Defense Evasion

MITRE ATT&CK Techniques

New Service
Modify Existing Service
Disabling Security Tools

Kill Chain Phases

Installation

Data Sources

Endpoint Detection and Response

   Help

Reg.exe Manipulating Windows Services Registry Keys Help

This search looks for modifications to registry paths that specify the definition and configuration of Windows services by reg.exe. Reg.exe is a Windows utility that allows for manipulation of the registry via the command line. Malware often uses the Windows services architecture to persist, hide in plain sight, and gain the ability to interact with the Windows kernel. While it is common to modify the configuration of Windows services (and new services may be created with software installs), the use of reg.exe to create or modify a service configuration is unusual and a technique commonly used by attackers. The search returns the count, the first time the activity was seen, the last time activity was seen, the registry path that was modified, the host where the modification took place, and the user that performed the modification.