← Back to Explore
sigmahighHunting
Exports Registry Key To an Alternate Data Stream
Exports the target Registry key and hides it in the specified alternate data stream.
Detection Query
selection:
Image|endswith: \regedit.exe
condition: selection
Author
Oddvar Moe, Sander Wiebing, oscd.community
Created
2020-10-07
Data Sources
windowscreate_stream_hash
Platforms
windows
References
Tags
attack.defense-evasionattack.t1564.004
Raw Content
title: Exports Registry Key To an Alternate Data Stream
id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
status: test
description: Exports the target Registry key and hides it in the specified alternate data stream.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Image|endswith: '\regedit.exe'
condition: selection
falsepositives:
- Unknown
level: high