Suspicious Reg.exe Process

Description

This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Modify Registry
Disabling Security Tools

MITRE Threat Groups

APT19
APT32
APT38
APT41
Blue Mockingbird
Dragonfly 2.0
FIN8
Gamaredon Group
Gorgon Group
Honeybee
Lazarus Group
Patchwork
Silence
Threat Group-3390
Turla
Wizard Spider

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Suspicious Reg.exe Process Help

This search looks for the execution of reg.exe with a parent process of cmd.exe. It then executes a subsearch looking for those cmd.exe processes with a parent that is not explorer.exe. It then joins those two searches to make sure that the reg.exe process is a grandchild of the non explorer.exe process. The search will return the number of such instances and the first and last time this activity has been seen on each endpoint and user.