Registry Modification Via Regini.EXE

Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.

Sigma rule (View on GitHub)

 1title: Registry Modification Via Regini.EXE
 2id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
 3related:
 4    - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
 5      type: derived
 6status: test
 7description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
10    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
12author: Eli Salem, Sander Wiebing, oscd.community
13date: 2020-10-08
14modified: 2023-02-08
15tags:
16    - attack.t1112
17    - attack.defense-evasion
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        - Image|endswith: '\regini.exe'
24        - OriginalFileName: 'REGINI.EXE'
25    filter:
26        CommandLine|re: ':[^ \\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682
27    condition: selection and not filter
28fields:
29    - ParentImage
30    - CommandLine
31falsepositives:
32    - Legitimate modification of keys
33level: low

References

Related rules

to-top