.. / Reg.exe
Star

Used to manipulate the registry


Paths:


Resources:
https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Acknowledgement:
Oddvar Moe - @oddvarmoe


Detection:
reg.exe writing to an ADS



Alternate data streams

Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
Usecase:Hide/plant registry information in Alternate data stream for later use
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1096