eq_0008 — 2 rules with the same canonical form

Vendors: sigma (2). Stage count: 2. Correlation shape: single_event.

Members

Sigma Suspicious Registry Modification From ADS Via Regini.EXE events 1
Sigma Registry Modification Via Regini.EXE events 1

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry
Defense Evasion	`T1112` Modify Registry

Stages and predicates (per member)

Each member's stage rendered in its own native syntax (verbatim source where the IR captures it; falls back to the synthesised native form for the few stage types whose source segments aren't recoverable).

Suspicious Registry Modification From ADS Via Regini.EXE — stage 1 `all of selection_img`

or:
Image|endswith: '\regini.exe'
OriginalFileName: REGINI.EXE

Suspicious Registry Modification From ADS Via Regini.EXE — stage 2 `all of selection_re`

CommandLine|re: ':[^ \\]'

Registry Modification Via Regini.EXE — stage 3 `selection`

or:
Image|endswith: '\regini.exe'
OriginalFileName: REGINI.EXE

Registry Modification Via Regini.EXE — stage 4 `not filter`

CommandLine|re: ':[^ \\]'

Indicators (across all members)

Field	Kind	Value	Members	Corpus
`CommandLine`	regex_match	`:[^ \\]`	2	4
`Image`	ends_with	`\regini.exe`	2	2
`OriginalFileName`	eq	`REGINI.EXE`	2	2

eq_0008 — 2 rules with the same canonical form

Members

MITRE ATT&CK coverage

Stages and predicates (per member)

Suspicious Registry Modification From ADS Via Regini.EXE — stage 1 all of selection_img

Suspicious Registry Modification From ADS Via Regini.EXE — stage 2 all of selection_re

Registry Modification Via Regini.EXE — stage 3 selection

Registry Modification Via Regini.EXE — stage 4 not filter

Indicators (across all members)

Suspicious Registry Modification From ADS Via Regini.EXE — stage 1 `all of selection_img`

Suspicious Registry Modification From ADS Via Regini.EXE — stage 2 `all of selection_re`

Registry Modification Via Regini.EXE — stage 3 `selection`

Registry Modification Via Regini.EXE — stage 4 `not filter`