Periodic Backup For System Registry Hives Enabled (973ef012-8f1a-4c40-93b4-7e659a5cd17f)
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) | Attack Pattern | Periodic Backup For System Registry Hives Enabled (973ef012-8f1a-4c40-93b4-7e659a5cd17f) | Sigma-Rules | 1 |