Suspicious Registry Modification From ADS Via Regini.EXE

calendar Aug 12, 2024 · attack.t1112 attack.defense-evasion  ·
Share on: linkedin copy

Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.

Sigma rule (View on GitHub)

 1title: Suspicious Registry Modification From ADS Via Regini.EXE
 2id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
 3related:
 4    - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
 5      type: derived
 6status: test
 7description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
12author: Eli Salem, Sander Wiebing, oscd.community
13date: 2020-10-12
14modified: 2023-02-08
15tags:
16    - attack.t1112
17    - attack.defense-evasion
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\regini.exe'
24        - OriginalFileName: 'REGINI.EXE'
25    selection_re:
26        CommandLine|re: ':[^ \\]'
27    condition: all of selection_*
28fields:
29    - ParentImage
30    - CommandLine
31falsepositives:
32    - Unknown
33level: high

References

  • Regini on LOLBAS

    Regini.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • Execute from Alternate Streams

    Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.


    Read More

  • regini

    Reference article for the regini command, which modifies the registry from the command line or a script, and applies changes that were preset in one or more text files.


    Read More

Related rules

to-top