Exports Registry Key To an Alternate Data Stream
Exports the target Registry key and hides it in the specified alternate data stream.
Sigma rule (View on GitHub)
1title: Exports Registry Key To an Alternate Data Stream
2id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
3status: test
4description: Exports the target Registry key and hides it in the specified alternate data stream.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
7 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
8author: Oddvar Moe, Sander Wiebing, oscd.community
9date: 2020-10-07
10modified: 2021-11-27
11tags:
12 - attack.defense-evasion
13 - attack.t1564.004
14logsource:
15 product: windows
16 category: create_stream_hash
17detection:
18 selection:
19 Image|endswith: '\regedit.exe'
20 condition: selection
21fields:
22 - TargetFilename
23falsepositives:
24 - Unknown
25level: high
References
-
Regedit.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Related rules
- Execute From Alternate Data Streams
- Hidden Executable In NTFS Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE
- NTFS Alternate Data Stream
- Potential Rundll32 Execution With DLL Stored In ADS