← Back to SOC feed Coverage →

New BgInfo.EXE Custom DB Path Registry Configuration

sigma MEDIUM SigmaHQ
T1112
imRegistry
backdoor
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-25T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate

Detection Rule

Sigma (Original)

title: New BgInfo.EXE Custom DB Path Registry Configuration
id: 53330955-dc52-487f-a3a2-da24dcff99b5
status: test
description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
    condition: selection
falsepositives:
    - Legitimate use of external DB to save the results
level: medium

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\Software\\Winternals\\BGInfo\\Database"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\Software\\Winternals\\BGInfo\\Database"

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml