← Back to SOC feed Coverage →

Regedit as Trusted Installer

sigma HIGH SigmaHQ
T1548
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-18T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

Detection Rule

Sigma (Original)

title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
references:
    - https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regedit.exe'
        ParentImage|endswith:
            - '\TrustedInstaller.exe'
            - '\ProcessHacker.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\regedit.exe" and ((ParentProcessName endswith "\\TrustedInstaller.exe" or ParentProcessName endswith "\\ProcessHacker.exe") or (ActingProcessName endswith "\\TrustedInstaller.exe" or ActingProcessName endswith "\\ProcessHacker.exe"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml