Used to manipulate the registry

Paths:

C:\Windows\System32\reg.exe
C:\Windows\SysWOW64\reg.exe

Detection: reg.exe writing to an ADS

Alternate data streams

Export the target Registry key and save it to the specified .REG file within an Alternate data stream.

reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg