title: Exports Registry Key To a File
id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
status: experimental
description: Detects the export of the target Registry key to a file.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
tags:
    - attack.exfiltration
    - attack.t1012
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020/10/07
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regedit.exe'
        CommandLine|contains: ' /E '
    filter_1: # filters to avoid intersection with critical keys rule
        CommandLine|contains:
            - 'hklm'
            - 'hkey_local_machine'
    filter_2:
        CommandLine|endswith:
            - '\system'
            - '\sam'
            - '\security'
    condition: selection and not (filter_1 and filter_2)
fields:
    - ParentImage
    - CommandLine
falsepositives:
    - Legitimate export of keys
level: low