title: Reg Add RUN Key
id: de587dce-915e-4218-aac4-835ca6af6f70
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
status: experimental
date: 2021/06/28
author: Florian Roth
references:
    - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
    - https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all: 
            - 'reg'
            - ' ADD '
            - 'Software\Microsoft\Windows\CurrentVersion\Run'
    condition: selection
falsepositives:
    - Unknown
level: medium
tags:
    - attack.persistence
    - attack.t1547.001