Imports Registry Key From an ADS

 1title: Imports Registry Key From an ADS
 2id: 0b80ade5-6997-4b1d-99a1-71701778ea61
 3related:
 4    - id: 73bba97f-a82d-42ce-b315-9182e76c57b1
 5      type: similar
 6status: test
 7description: Detects the import of a alternate datastream to the registry with regedit.exe.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11author: Oddvar Moe, Sander Wiebing, oscd.community
12date: 2020-10-12
13modified: 2024-03-13
14tags:
15    - attack.t1112
16    - attack.defense-evasion
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\regedit.exe'
23        - OriginalFileName: 'REGEDIT.EXE'
24    selection_cli:
25        CommandLine|contains:
26            - ' /i '
27            - '.reg'
28        CommandLine|re: ':[^ \\]'
29    filter:
30        CommandLine|contains|windash:
31            - ' -e '
32            - ' -a '
33            - ' -c '
34    condition: all of selection_* and not filter
35fields:
36    - ParentImage
37    - CommandLine
38falsepositives:
39    - Unknown
40level: high

References

• Regedit on LOLBAS

  

  Regedit.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Execute from Alternate Streams

  

  Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• Activate Suppression of Windows Security Center Notifications
• Add DisallowRun Execution to Registry
• Allow RDP Remote Assistance Feature
• Blackbyte Ransomware Registry
• CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry