Suspicious Registry Modification From ADS Via Regini.EXE

calendar Oct 23, 2025 · attack.persistence attack.t1112 attack.defense-evasion  ·
Share on: linkedin copy

Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.

Sigma rule (View on GitHub)

 1title: Suspicious Registry Modification From ADS Via Regini.EXE
 2id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
 3related:
 4    - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
 5      type: derived
 6status: test
 7description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
12author: Eli Salem, Sander Wiebing, oscd.community
13date: 2020-10-12
14modified: 2023-02-08
15tags:
16    - attack.persistence
17    - attack.t1112
18    - attack.defense-evasion
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\regini.exe'
25        - OriginalFileName: 'REGINI.EXE'
26    selection_re:
27        CommandLine|re: ':[^ \\]'
28    condition: all of selection_*
29fields:
30    - ParentImage
31    - CommandLine
32falsepositives:
33    - Unknown
34level: high

References

  • Regini on LOLBAS

    Regini.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • Execute from Alternate Streams

    Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.


    Read More

  • regini

    Reference article for the regini command, which modifies the registry from the command line or a script, and applies changes that were preset in one or more text files.


    Read More

Related rules

to-top