Suspicious Registry Modification From ADS Via Regini.EXE

Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.

Sigma rule (View on GitHub)

 1title: Suspicious Registry Modification From ADS Via Regini.EXE
 2id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
 3related:
 4    - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
 5      type: derived
 6status: test
 7description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
12author: Eli Salem, Sander Wiebing, oscd.community
13date: 2020-10-12
14modified: 2023-02-08
15tags:
16    - attack.t1112
17    - attack.defense-evasion
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\regini.exe'
24        - OriginalFileName: 'REGINI.EXE'
25    selection_re:
26        CommandLine|re: ':[^ \\]'
27    condition: all of selection_*
28fields:
29    - ParentImage
30    - CommandLine
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top