Reg.exe Detections added

rules/windows/process_creation/proc_creation_win_reg_build_number_discovery.yml

@@ -0,0 +1,28 @@
+title: OS Build Number Discovery via reg.exe
+id: 9c349345-6844-4628-843f-2c8ad5967978
+status: test
+description: This Sigma rule detects the use of reg.exe to query the Windows registry for the operating system's build number.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md#atomic-test-40---discover-os-build-number-via-registry
+author: lazarg
+date: 2024-12-19
+tags:
+    - attack.discovery
+    - attack.t1082
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_command_line:
+        CommandLine|contains|all:
+            - 'query'
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
+            - 'CurrentBuildNumber'
+        CommandLine|windash|contains: '-v'
+    condition: selection_img and selection_command_line
+falsepositives:
+    - Unlikely
+level: medium

rules/windows/process_creation/proc_creation_win_reg_product_name_discovery.yml

@@ -0,0 +1,28 @@
+title: OS Product Name Discovery via reg.exe
+id: 6c13d616-13ff-41ca-b94f-35fc294feb48
+status: test
+description: This Sigma rule identifies the use of reg.exe to query the Windows registry for the operating system's product name.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md#atomic-test-39---discover-os-product-name-via-registry
+author: lazarg
+date: 2024-12-19
+tags:
+    - attack.discovery
+    - attack.t1082
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_command_line:
+        CommandLine|contains|all:
+            - 'query'
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
+            - 'ProductName'
+        CommandLine|windash|contains: '-v'
+    condition: selection_img and selection_command_line
+falsepositives:
+    - Unlikely
+level: medium

rules/windows/process_creation/proc_creation_win_reg_time_zone_discovery.yml

@@ -0,0 +1,28 @@
+title: Time Zone Discovery via reg.exe
+id: 9090d3ad-df87-47f7-b47a-63e34e29b035
+status: test
+description: This Sigma rule detects the use of reg.exe to query the system's time zone information from the Windows registry.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md#atomic-test-6---discover-system-time-zone-via-registry
+author: lazarg
+date: 2024-12-19
+tags:
+    - attack.discovery
+    - attack.t1124
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_command_line:
+        CommandLine|contains|all:
+            - 'query'
+            - '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation'
+            - 'TimeZoneKeyName'
+        CommandLine|windash|contains: '-v'
+    condition: selection_img and selection_command_line
+falsepositives:
+    - Unlikely
+level: medium