Exports Registry Key To an Alternate Data Stream

Exports the target Registry key and hides it in the specified alternate data stream.

Sigma rule (View on GitHub)

 1title: Exports Registry Key To an Alternate Data Stream
 2id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
 3status: test
 4description: Exports the target Registry key and hides it in the specified alternate data stream.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
 7    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 8author: Oddvar Moe, Sander Wiebing, oscd.community
 9date: 2020/10/07
10modified: 2021/11/27
11tags:
12    - attack.defense_evasion
13    - attack.t1564.004
14logsource:
15    product: windows
16    category: create_stream_hash
17detection:
18    selection:
19        Image|endswith: '\regedit.exe'
20    condition: selection
21fields:
22    - TargetFilename
23falsepositives:
24    - Unknown
25level: high

References

Related rules

to-top