Regini.exe is a legitimate Windows utility used for modifying registry settings, typically used by system administrators for automating registry management via scriptable .ini files. However, this tool can be exploited by malicious actors to gain unauthorized access and escalate privileges by altering critical registry keys, such as those found in SAM, SECURITY, or SYSTEM. By modifying these registry keys, attackers can manipulate user access rights, leading to privilege escalation and potential RID hijacking. This detection rule aims to identify any execution of regini.exe, signaling a potential misuse of this tool in the environment. It operates by monitoring Windows event logs for process creation events that involve regini.exe and provides insights into the execution context, including timestamp, host, user, and parent process information. This provides a vital capability for detecting defensive evasion tactics employed by adversaries.