Registry Modification Via Regini.EXE
Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
Sigma rule (View on GitHub)
1title: Registry Modification Via Regini.EXE
2id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
3related:
4 - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
5 type: derived
6status: test
7description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Regini/
10 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
11 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
12author: Eli Salem, Sander Wiebing, oscd.community
13date: 2020/10/08
14modified: 2023/02/08
15tags:
16 - attack.t1112
17 - attack.defense_evasion
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 - Image|endswith: '\regini.exe'
24 - OriginalFileName: 'REGINI.EXE'
25 filter:
26 CommandLine|re: ':[^ \\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682
27 condition: selection and not filter
28fields:
29 - ParentImage
30 - CommandLine
31falsepositives:
32 - Legitimate modification of keys
33level: low
References
-
Write registry keys from data inside the Alternate data stream. regini.exe newfile.txt:hidden.ini Use caseWrite to registry Privileges requiredUser Operating systemsWindows vista, Windows 7, Window...
Read More -
Related rules
- Potential NetWire RAT Activity - Registry
- Potential Suspicious Registry File Imported Via Reg.EXE
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Suspicious Registry Modification From ADS Via Regini.EXE
- Enable LM Hash Storage - ProcCreation