Registry Modification Via Regini.EXE

calendar Nov 24, 2025 · attack.persistence attack.t1112 attack.defense-evasion  ·
Share on: linkedin copy

Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.

Sigma rule (View on GitHub)

 1title: Registry Modification Via Regini.EXE
 2id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
 3related:
 4    - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
 5      type: derived
 6status: test
 7description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
12author: Eli Salem, Sander Wiebing, oscd.community
13date: 2020-10-08
14modified: 2023-02-08
15tags:
16    - attack.persistence
17    - attack.t1112
18    - attack.defense-evasion
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        - Image|endswith: '\regini.exe'
25        - OriginalFileName: 'REGINI.EXE'
26    filter:
27        CommandLine|re: ':[^ \\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682
28    condition: selection and not filter
29falsepositives:
30    - Legitimate modification of keys
31level: low

References

  • Regini on LOLBAS

    Regini.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • Execute from Alternate Streams

    Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.


    Read More

  • regini

    Reference article for the regini command, which modifies the registry from the command line or a script, and applies changes that were preset in one or more text files.


    Read More

Related rules

to-top