Registry Modification Via Regini.EXE

 1title: Registry Modification Via Regini.EXE
 2id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
 3related:
 4    - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
 5      type: derived
 6status: test
 7description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
12author: Eli Salem, Sander Wiebing, oscd.community
13date: 2020-10-08
14modified: 2023-02-08
15tags:
16    - attack.persistence
17    - attack.t1112
18    - attack.defense-evasion
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        - Image|endswith: '\regini.exe'
25        - OriginalFileName: 'REGINI.EXE'
26    filter:
27        CommandLine|re: ':[^ \\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682
28    condition: selection and not filter
29fields:
30    - ParentImage
31    - CommandLine
32falsepositives:
33    - Legitimate modification of keys
34level: low

References

• Regini on LOLBAS

  

  Regini.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Execute from Alternate Streams

  

  Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

• regini

  

  Reference article for the regini command, which modifies the registry from the command line or a script, and applies changes that were preset in one or more text files.

  
  Read More

Related rules

• Activate Suppression of Windows Security Center Notifications
• Add DisallowRun Execution to Registry
• Allow RDP Remote Assistance Feature
• Blackbyte Ransomware Registry
• Blue Mockingbird