This rule detects suspicious activity related to the use of regini.exe for modifying Windows registry keys through an alternate data stream (ADS). The detection focuses on identifying the execution of regini.exe in conjunction with specific command line arguments that indicate the use of ADS, as these can be employed by attackers to obscure malicious activities. By monitoring for the execution of regini.exe, specifically looking for command lines that include the character ':' followed by any string (which indicates the creation or modification of an ADS), the rule aims to alert security teams to potentially malicious modifications taking place within the Windows registry. This is critical as registry modifications can be indicative of various attack tactics, especially those aimed at persistence and evasion of detection. The use of regini.exe raises the suspicion due to its legitimate purposes being exploited by threat actors in their attacks, highlighting the need for proactive monitoring of registry changes.