From fa936e04fcec796a9004e48358d1760831fac8c8 Mon Sep 17 00:00:00 2001
From: gbL2k <gaborlazar8822@gmail.com>
Date: Thu, 19 Dec 2024 21:56:43 +0100
Subject: [PATCH] Reg.exe Detections added

---
 ...reation_win_reg_build_number_discovery.yml | 28 +++++++++++++++++++
 ...reation_win_reg_product_name_discovery.yml | 28 +++++++++++++++++++
 ...c_creation_win_reg_time_zone_discovery.yml | 28 +++++++++++++++++++
 3 files changed, 84 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_reg_build_number_discovery.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_reg_product_name_discovery.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_reg_time_zone_discovery.yml

diff --git a/rules/windows/process_creation/proc_creation_win_reg_build_number_discovery.yml b/rules/windows/process_creation/proc_creation_win_reg_build_number_discovery.yml
new file mode 100644
index 00000000000..27fae16f380
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_reg_build_number_discovery.yml
@@ -0,0 +1,28 @@
+title: OS Build Number Discovery via reg.exe
+id: 9c349345-6844-4628-843f-2c8ad5967978
+status: test
+description: This Sigma rule detects the use of reg.exe to query the Windows registry for the operating system's build number. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md#atomic-test-40---discover-os-build-number-via-registry
+author: lazarg
+date: 2024-12-19
+tags:
+    - attack.discovery
+    - attack.T1082
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_command_line:
+        CommandLine|contains|all:
+            - 'query'
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' 
+            - '/v'
+            - 'CurrentBuildNumber'
+    condition: selection_img and selection_command_line
+falsepositives:
+    - Unlikely
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_reg_product_name_discovery.yml b/rules/windows/process_creation/proc_creation_win_reg_product_name_discovery.yml
new file mode 100644
index 00000000000..3c27123c344
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_reg_product_name_discovery.yml
@@ -0,0 +1,28 @@
+title: OS Product Name Discovery via reg.exe
+id: 6c13d616-13ff-41ca-b94f-35fc294feb48
+status: test
+description: This Sigma rule identifies the use of reg.exe to query the Windows registry for the operating system's product name.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md#atomic-test-39---discover-os-product-name-via-registry
+author: lazarg
+date: 2024-12-19
+tags:
+    - attack.discovery
+    - attack.T1082
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_command_line:
+        CommandLine|contains|all:
+            - 'query'
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' 
+            - '/v'
+            - 'ProductName'
+    condition: selection_img and selection_command_line
+falsepositives:
+    - Unlikely
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_reg_time_zone_discovery.yml b/rules/windows/process_creation/proc_creation_win_reg_time_zone_discovery.yml
new file mode 100644
index 00000000000..c6832f61a07
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_reg_time_zone_discovery.yml
@@ -0,0 +1,28 @@
+title: Time Zone Discovery via reg.exe
+id: 9090d3ad-df87-47f7-b47a-63e34e29b035
+status: test
+description: This Sigma rule detects the use of reg.exe to query the system's time zone information from the Windows registry. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md#atomic-test-6---discover-system-time-zone-via-registry
+author: lazarg
+date: 2024-12-19
+tags:
+    - attack.discovery
+    - attack.T1124
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_command_line:
+        CommandLine|contains|all:
+            - 'query'
+            - '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' 
+            - '/v'
+            - 'TimeZoneKeyName'
+    condition: selection_img and selection_command_line
+falsepositives:
+    - Unlikely
+level: high
\ No newline at end of file