.. / Regedit.exe
Star

Used by Windows to manipulate registry


Paths:


Resources:
https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Acknowledgement:
Oddvar Moe - @oddvarmoe


Detection:
regedit.exe reading and writing to alternate data stream
regedit.exe should normally not be executed by end-users



Alternate data streams

Export the target Registry key to the specified .REG file.
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
Usecase:Hide registry data in alternate data stream
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1096



Import the target .REG file into the Registry.
regedit C:\ads\file.txt:regfile.reg
Usecase:Import hidden registry data from alternate data stream
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1096