.. /
Regini.exe
Used to manipulate the registry
Paths:
- C:\Windows\System32\regini.exe
- C:\Windows\SysWOW64\regini.exe
Resources:
https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
Eli Salem - @elisalem9
Detection:
regini.exe reading from ADS
Alternate data streams
Write registry keys from data inside the Alternate data stream.
regini.exe newfile.txt:hidden.ini
Usecase:Write to registry
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1096