Suspicious Registry Modification From ADS Via Regini.EXE
Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
Sigma rule (View on GitHub)
1title: Suspicious Registry Modification From ADS Via Regini.EXE
2id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
3related:
4 - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
5 type: derived
6status: test
7description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Regini/
10 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
12author: Eli Salem, Sander Wiebing, oscd.community
13date: 2020/10/12
14modified: 2023/02/08
15tags:
16 - attack.t1112
17 - attack.defense_evasion
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\regini.exe'
24 - OriginalFileName: 'REGINI.EXE'
25 selection_re:
26 CommandLine|re: ':[^ \\]'
27 condition: all of selection_*
28fields:
29 - ParentImage
30 - CommandLine
31falsepositives:
32 - Unknown
33level: high
References
Related rules
- Potential NetWire RAT Activity - Registry
- Potential Suspicious Registry File Imported Via Reg.EXE
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Registry Modification Via Regini.EXE
- Enable LM Hash Storage - ProcCreation