T1112: Modify Registry
| View on MITRE ATT&CK | T1112 |
|---|---|
| Tactic(s) | Defense Evasion |
| Associated CAPEC Patterns | Manipulate Registry Information (CAPEC-203) |
Data from MITRE ATT&CK®:
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.
Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
This report by the DFIR Report outlines a Trigona Ransomware attack. It describes how the actors went from initial access (by exposed RDP) to data ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
KAPEKA A novel backdoor spotted in Eastern Europe
This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
People's Republic of China-Linked Cyber Actors Hide in Router Firmware
This Cybersecurity Advisory from CISA and partners details activities of the People's Republic of China (PRC)-linked cyber actors known as ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
Ransomware Spotlight: Black Basta
This report from Trend Micro outlines tactics, techniques and procedures used by the Black Basta Ransomware group. According to the report, Black ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
OS API Execution (Process)
Operating system function/method calls executed by a processProcess Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Windows Registry Key Creation (Windows Registry)
Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)Windows Registry Key Deletion (Windows Registry)
Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Disable Windows Change Password Feature
Set-Up Proxy Server
Windows HideSCAPower Group Policy Feature
Disable Windows LogOff Button
Activate Windows NoTrayContextMenu Group Policy Feature
Windows Modify Show Compress Color And Info Tip Registry
Windows HideSCANetwork Group Policy Feature
Disable Windows CMD application
Do Not Connect To Win Update
Ursnif Malware Registry Key Creation
Disable Windows Task Manager application
Activate Windows NoControlPanel Group Policy Feature
Activate Windows NoDesktop Group Policy Feature
Activate Windows NoClose Group Policy Feature
Event Viewer Registry Modification - Redirection Program
Disable Windows Notification Center
Mimic Ransomware - Enable Multiple User Sessions
Modify Registry of Local Machine - cmd
Disable Windows Shutdown Button
DisallowRun Execution Of Certain Applications
NetWire RAT Registry Key Creation
Event Viewer Registry Modification - Redirection URL
RDP Authentication Level Override
Windows Powershell Logging Disabled
Change Powershell Execution Policy to Bypass
Windows HideSCAVolume Group Policy Feature
Disable Windows Auto Reboot for current logon user
Allow RDP Remote Assistance Feature
Windows HideSCAHealth Group Policy Feature
Windows Auto Update Option to Notify before download
Disable Remote Desktop Anti-Alias Setting Through Registry
Disable Windows Toast Notifications
Terminal Server Client Connection History Cleared
Javascript in registry
Disable Windows Lock Workstation Feature
Modify Internet Zone Protocol Defaults in Current User Registry - cmd
Enabling Restricted Admin Mode via Command_Prompt
Windows Add Registry Value to Load Service in Safe Mode without Network
Activate Windows NoSetTaskbar Group Policy Feature
Activate Windows NoPropertiesMyDocuments Group Policy Feature
Modify registry to store logon credentials
Disable Win Defender Notification
Allow Simultaneous Download Registry
Activate Windows NoFileMenu Group Policy Feature
Scarab Ransomware Defense Evasion Activities
BlackByte Ransomware Registry Changes - Powershell
Modify Registry of Current User Profile - cmd
Disabling ShowUI Settings of Windows Error Reporting (WER)
Tamper Win Defender Protection
Add domain to Trusted sites Zone
Windows Add Registry Value to Load Service in Safe Mode with Network
Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
Activities To Disable Secondary Authentication Detected By Modified Registry Value.
Snake Malware Registry Blob
Activate Windows NoFind Group Policy Feature
Enabling Remote Desktop Protocol via Remote Registry
Activate Windows NoRun Group Policy Feature
Hide Windows Clock Group Policy Feature
Suppress Win Defender Notifications
Mimic Ransomware - Allow Multiple RDP Sessions per User
Disable Windows Registry Tool
Disable Windows Error Reporting Settings
Disable Windows OS Auto Update
Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
BlackByte Ransomware Registry Changes - CMD
Disable Windows Security Center Notifications
Disable Remote Desktop Security Settings Through Registry
Enable Proxy Settings
Use Powershell to Modify registry to store logon credentials
Sigma Detections for this Technique
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
NetNTLM Downgrade Attack - Registry
Blackbyte Ransomware Registry
Blue Mockingbird - Registry
New DNS ServerLevelPluginDll Installed
Access To .Reg/.Hive Files By Uncommon Application
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
CrashControl CrashDump Disabled
Allow RDP Remote Assistance Feature
Add DisallowRun Execution to Registry
Trust Access Disable For VBApplications
Enable LM Hash Storage
Registry Explorer Policy Modification
Registry Entries For Azorult Malware
New BgInfo.EXE Custom VBScript Registry Configuration
Change the Fax Dll
ETW Logging Disabled For rpcrt4.dll
Suspicious Registry Modification From ADS Via Regini.EXE
Terminal Server Client Connection History Cleared - Registry
Potential Suspicious Registry File Imported Via Reg.EXE
Potential Persistence Via Outlook Today Pages
ClickOnce Trust Prompt Tampering
New BgInfo.EXE Custom WMI Query Registry Configuration
RDP Sensitive Settings Changed
Removal of Potential COM Hijacking Registry Keys
Suspicious VBoxDrvInst.exe Parameters
Imports Registry Key From an ADS
Potentially Suspicious Desktop Background Change Via Registry
Reg Add Suspicious Paths
Sysmon Channel Reference Deletion
New BgInfo.EXE Custom DB Path Registry Configuration
OilRig APT Registry Persistence
NetNTLM Downgrade Attack
Change User Account Associated with the FAX Service
Potential Persistence Via Outlook Home Page
Potential Ursnif Malware Activity - Registry
Activate Suppression of Windows Security Center Notifications
RedMimicry Winnti Playbook Registry Manipulation
Potential Persistence Via Custom Protocol Handler
Service Binary in Suspicious Folder
Disable Security Events Logging Adding Reg Key MiniNt
Registry Hide Function from User
ETW Logging Disabled In .NET Processes - Sysmon Registry
Potentially Suspicious Desktop Background Change Using Reg.EXE
Potential Qakbot Registry Activity
Disable Internal Tools or Feature in Registry
Office Macros Warning Disabled
RestrictedAdminMode Registry Value Tampering
ShimCache Flush
Registry Modification Via Regini.EXE
RDP Sensitive Settings Changed to Zero
Wdigest CredGuard Registry Modification
Run Once Task Execution as Configured in Registry
RestrictedAdminMode Registry Value Tampering - ProcCreation
DNS-over-HTTPS Enabled by Registry
Wdigest Enable UseLogonCredential
Disable Windows Security Center Notifications
Winlogon AllowMultipleTSSessions Enable
ETW Logging Disabled In .NET Processes - Registry
DHCP Callout DLL Installation
Uncommon Microsoft Office Trusted Location Added
Imports Registry Key From a File
Remote Registry Lateral Movement
Modification of IE Registry Settings
Potential Persistence Via Event Viewer Events.asp
NET NGenAssemblyUsageLog Registry Key Tamper
Enable LM Hash Storage - ProcCreation
Non-privileged Usage of Reg or Powershell
OceanLotus Registry Activity
Macro Enabled In A Potentially Suspicious Document
Potential NetWire RAT Activity - Registry
Run Once Task Configuration in Registry
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
ETW Logging Disabled For SCM
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.