From 5d7fe8823bb7de3c2eb057f2f1006be97ff9f3e8 Mon Sep 17 00:00:00 2001
From: markus-nclose <38457858+markus-nclose@users.noreply.github.com>
Date: Wed, 1 Mar 2023 13:27:59 +0200
Subject: [PATCH] Add reg.exe

Reg.exe for Qakbot defense evasion.
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB17_28.02.2023.txt
xcopy  C:\Windows\\\\\\system32\\\\\\reg.exe C:\Users\Admin\AppData\Local\Temp\glanduleHoratory.exe /h /s /e
---
 .../proc_creation_win_renamed_binary_highly_relevant.yml        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
index 54a382a8b..e163cc096 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
@@ -52,6 +52,7 @@ detection:
             - 'rundll32.exe'
             - 'cmstp.exe'
             - 'msiexec.exe'
+            - 'reg.exe'
     filter:
         Image|endswith:
             - '\powershell.exe'
@@ -69,6 +70,7 @@ detection:
             - '\rundll32.exe'
             - '\cmstp.exe'
             - '\msiexec.exe'
+            - '\reg.exe'
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist