title: Registry Modification Via Regini.EXE
id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
related:
    - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
      type: derived
status: experimental
description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
author: Eli Salem, Sander Wiebing, oscd.community
date: 2020/10/08
modified: 2023/02/08
tags:
    - attack.t1112
    - attack.defense_evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\regini.exe'
        - OriginalFileName: 'REGINI.EXE'
    filter:
        CommandLine|re: ':[^ \\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682
    condition: selection and not filter
fields:
    - ParentImage
    - CommandLine
falsepositives:
    - Legitimate modification of keys
level: low