Registry Modification Via Regini.EXE

calendar Aug 12, 2024 · attack.t1112 attack.defense-evasion  ·
Share on: linkedin copy

Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.

Sigma rule (View on GitHub)

 1title: Registry Modification Via Regini.EXE
 2id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
 3related:
 4    - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
 5      type: derived
 6status: test
 7description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
12author: Eli Salem, Sander Wiebing, oscd.community
13date: 2020-10-08
14modified: 2023-02-08
15tags:
16    - attack.t1112
17    - attack.defense-evasion
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        - Image|endswith: '\regini.exe'
24        - OriginalFileName: 'REGINI.EXE'
25    filter:
26        CommandLine|re: ':[^ \\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682
27    condition: selection and not filter
28fields:
29    - ParentImage
30    - CommandLine
31falsepositives:
32    - Legitimate modification of keys
33level: low

References

  • Regini on LOLBAS

    Regini.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • Execute from Alternate Streams

    Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.


    Read More

  • regini

    Reference article for the regini command, which modifies the registry from the command line or a script, and applies changes that were preset in one or more text files.


    Read More

Related rules

to-top