LOLBAS/yml/OSBinaries/Regedit.yml

36 lines
1.3 KiB
YAML

---
Name: Regedit.exe
Description: Used by Windows to manipulate registry
Author: 'Oddvar Moe'
Created: '2018-05-25'
Commands:
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
Description: Export the target Registry key to the specified .REG file.
Usecase: Hide registry data in alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regedit C:\ads\file.txt:regfile.reg"
Description: Import the target .REG file into the Registry.
Usecase: Import hidden registry data from alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- Path: C:\Windows\System32\regedit.exe
- Path: C:\Windows\SysWOW64\regedit.exe
Code Sample:
- Code:
Detection:
- IOC: regedit.exe reading and writing to alternate data stream
- IOC: regedit.exe should normally not be executed by end-users
Resources:
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---