.. / Regini.exe
Star

Alternate data streams

Used to manipulate the registry

Paths:

C:\Windows\System32\regini.exe
C:\Windows\SysWOW64\regini.exe

Resources:

https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Acknowledgements:

Eli Salem (@elisalem9)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regini_ads.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regini.yml
IOC: regini.exe reading from ADS

Alternate data streams

Write registry keys from data inside the Alternate data stream.

regini.exe newfile.txt:hidden.ini

Usecase: Write to registry
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004

.. / Regini.exe Star

Alternate data streams

.. / Regini.exe
Star