Suspicious Reg Exe Process

Description

This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Modify Registry

Modify Registry

MITRE Threat Groups

APT19
APT32
APT38
APT41
Blue Mockingbird
Dragonfly 2.0
FIN8
Gamaredon Group
Gorgon Group
Honeybee
Lazarus Group
Patchwork
Silence
Threat Group-3390
Turla
Wizard Spider

Data Sources

Endpoint Detection and Response

   Help

Suspicious Reg Exe Process Help

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

   Search

Open in Search