From cb3a45008ef39fe5c0c7c310146d3951eedf8d2c Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Fri, 3 Jul 2020 15:40:58 +0200
Subject: [PATCH] Added regini.exe writing to registry using ADS

---
 yml/OSBinaries/Regini.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 yml/OSBinaries/Regini.yml

diff --git a/yml/OSBinaries/Regini.yml b/yml/OSBinaries/Regini.yml
new file mode 100644
index 0000000..ce20f4c
--- /dev/null
+++ b/yml/OSBinaries/Regini.yml
@@ -0,0 +1,27 @@
+---
+Name: Regini.exe
+Description: Used to manipulate the registry
+Author: 'Oddvar Moe'
+Created: '2020-07-03'
+Commands:
+  - Command: regini.exe newfile.txt:hidden.ini
+    Description: Write registry keys from data inside the Alternate data stream.
+    Usecase: Write to registry
+    Category: ADS
+    Privileges: User
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\regini.exe
+  - Path: C:\Windows\SysWOW64\regini.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: regini.exe reading from ADS
+Resources:
+  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+Acknowledgement:
+  - Person: Eli Salem
+    Handle: '@elisalem9'
+---
\ No newline at end of file