Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. [1] Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.
Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. [2] Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. [3] [4]
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. [5] Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.
ID | Name | Description |
---|---|---|
C0028 | 2015 Ukraine Electric Power Attack |
During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching |
S0677 | AADInternals |
AADInternals can modify registry keys as part of setting a new pass-through authentication agent.[7] |
S0045 | ADVSTORESHELL |
ADVSTORESHELL is capable of setting and deleting Registry values.[8] |
S0331 | Agent Tesla |
Agent Tesla can achieve persistence by modifying Registry key entries.[9] |
S1025 | Amadey | |
G0073 | APT19 |
APT19 uses a Port 22 malware variant to modify several Registry keys.[11] |
G0050 | APT32 |
APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. [12] |
G0082 | APT38 |
APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.[13] |
G0096 | APT41 |
APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[14][15] |
S0438 | Attor | |
S0640 | Avaddon |
Avaddon modifies several registry keys for persistence and UAC bypass.[17] |
S0031 | BACKSPACE |
BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.[18] |
S0245 | BADCALL |
BADCALL modifies the firewall Registry key |
S0239 | Bankshot |
Bankshot writes data into the Registry key |
S0268 | Bisonal |
Bisonal has deleted Registry keys to clean up its prior activity.[21] |
S0570 | BitPaymer |
BitPaymer can set values in the Registry to help in execution.[22] |
S1070 | Black Basta |
Black Basta can modify the Registry to enable itself to run in safe mode and to modify the icons and file extensions for encrypted files.[23][24][25][26][27][28] |
S1068 | BlackCat |
BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: |
G0108 | Blue Mockingbird |
Blue Mockingbird has used Windows Registry modifications to specify a DLL payload.[30] |
S0348 | Cardinal RAT |
Cardinal RAT sets |
S0261 | Catchamas |
Catchamas creates three Registry keys to establish persistence by adding a Windows Service.[32] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell has a command to modify a Registry key.[33] |
S0631 | Chaes |
Chaes can modify Registry values to stored information and establish persistence.[34] |
S0674 | CharmPower |
CharmPower can remove persistence-related artifacts from the Registry.[35] |
S0023 | CHOPSTICK |
CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information.[36] |
S0660 | Clambling | |
S0611 | Clop | |
S0154 | Cobalt Strike |
Cobalt Strike can modify Registry values within |
S0126 | ComRAT |
ComRAT has modified Registry values to store encrypted orchestrator code and payloads.[40][41] |
S0608 | Conficker |
Conficker adds keys to the Registry at |
S0488 | CrackMapExec |
CrackMapExec can create a registry key using wdigest.[44] |
S0115 | Crimson |
Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.[45] |
S0527 | CSPY Downloader |
CSPY Downloader can write to the Registry under the |
S0334 | DarkComet |
DarkComet adds a Registry value for its installation routine to the Registry Key |
S1066 | DarkTortilla |
DarkTortilla has modified registry keys for persistence.[49] |
S0673 | DarkWatchman |
DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components.[50] |
S1033 | DCSrv | |
G0035 | Dragonfly |
Dragonfly has modified the Registry to perform multiple techniques through the use of Reg.[52] |
G1006 | Earth Lusca |
Earth Lusca modified the registry using the command |
G1003 | Ember Bear |
Ember Bear has used an open source batch script to modify Windows Defender registry keys.[54] |
S0568 | EVILNUM |
EVILNUM can make modifications to the Regsitry for persistence.[55] |
S0343 | Exaramel for Windows |
Exaramel for Windows adds the configuration to the Registry in XML format.[56] |
S0569 | Explosive |
Explosive has a function to write itself to Registry values.[57] |
S0267 | FELIXROOT |
FELIXROOT deletes the Registry key |
S0679 | Ferocious |
Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.[59] |
G0061 | FIN8 |
FIN8 has deleted Registry keys during post compromise cleanup activities.[60] |
G0047 | Gamaredon Group |
Gamaredon Group has removed security settings for VBA macro execution by changing registry values |
S0666 | Gelsemium |
Gelsemium can modify the Registry to store its components.[63] |
S0032 | gh0st RAT | |
G0078 | Gorgon Group |
Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under |
S0531 | Grandoreiro |
Grandoreiro can modify the Registry to store its configuration at |
S0342 | GreyEnergy |
GreyEnergy modifies conditions in the Registry and adds keys.[67] |
S0697 | HermeticWiper |
HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.[68][69][70] |
S0376 | HOPLIGHT |
HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.[71] |
S0203 | Hydraq |
Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.[72][73] |
S0537 | HyperStack |
HyperStack can add the name of its communication pipe to |
S0260 | InvisiMole |
InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.[75][76] |
S0271 | KEYMARBLE |
KEYMARBLE has a command to create Registry entries for storing data under |
G0094 | Kimsuky |
Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.[78][79][80][81] |
S0669 | KOCTOPUS | |
S0356 | KONNI |
KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.[83][84] |
S0397 | LoJax |
LoJax has modified the Registry key |
S0447 | Lokibot |
Lokibot has modified the Registry as part of its UAC bypass process.[86] |
G1014 | LuminousMoth |
LuminousMoth has used malware that adds Registry keys for persistence.[87][88] |
S1060 | Mafalda |
Mafalda can manipulate the system registry on a compromised host.[89] |
G0059 | Magic Hound |
Magic Hound has modified Registry settings for security tools.[90] |
S0576 | MegaCortex |
MegaCortex has added entries to the Registry for ransom contact information.[91] |
S1059 | metaMain |
metaMain can write the process ID of a target process into the |
S0455 | Metamorfo |
Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.[92][93][94][95] |
S1047 | Mori |
Mori can write data to |
S0256 | Mosquito |
Mosquito can modify Registry keys under |
S0205 | Naid |
Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk.[99] |
S0336 | NanoCore | |
S0691 | Neoichor |
Neoichor has the ability to configure browser settings by modifying Registry entries under |
S0210 | Nerex |
Nerex creates a Registry subkey that registers a new service.[103] |
S0457 | Netwalker |
Netwalker can add the following registry entry: |
S0198 | NETWIRE |
NETWIRE can modify the Registry to store its configuration information.[105] |
C0002 | Night Dragon |
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry.[106] |
S1090 | NightClub |
NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence.[107] |
S0385 | njRAT |
njRAT can create, delete, or modify a specified Registry key or value.[108][109] |
C0006 | Operation Honeybee |
During Operation Honeybee, the threat actors used batch files that modified registry keys.[110] |
C0014 | Operation Wocao |
During Operation Wocao, the threat actors enabled Wdigest by changing the |
S0229 | Orz | |
S0664 | Pandora |
Pandora can write an encrypted token to the Registry to enable processing of remote commands.[113] |
G0040 | Patchwork |
A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.[114] |
S1050 | PcShare |
PcShare can delete its persistence mechanisms from the registry.[115] |
S0158 | PHOREAL | |
S0517 | Pillowmint |
Pillowmint has modified the Registry key |
S0501 | PipeMon |
PipeMon has modified the Registry to store its encrypted payload.[118] |
S0254 | PLAINTEE |
PLAINTEE uses |
S0013 | PlugX |
PlugX has a module to create, delete, or modify Registry keys.[120] |
S0428 | PoetRAT |
PoetRAT has made registry modifications to alter its behavior upon execution.[121] |
S0012 | PoisonIvy |
PoisonIvy creates a Registry subkey that registers a new system device.[122] |
S0518 | PolyglotDuke |
PolyglotDuke can write encrypted JSON configuration files to the Registry.[123] |
S0441 | PowerShower |
PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.[124] |
S1058 | Prestige |
Prestige has the ability to register new registry keys for a new extension handler via |
S0583 | Pysa |
Pysa has modified the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" and added the ransom note.[126] |
S0650 | QakBot |
QakBot can modify the Registry to store its configuration information in a randomly named subkey under |
S0269 | QUADAGENT |
QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.[129] |
S0262 | QuasarRAT |
QuasarRAT has a command to edit the Registry on the victim’s machine.[130][131] |
S0662 | RCSession |
RCSession can write its configuration file to the Registry.[37][132] |
S0075 | Reg |
Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.[1] |
S0511 | RegDuke |
RegDuke can create seemingly legitimate Registry key to store its encryption key.[123] |
S0019 | Regin |
Regin appears to have functionality to modify remote Registry information.[133] |
S0332 | Remcos |
Remcos has full control of the Registry, including the ability to modify it.[134] |
S0496 | REvil |
REvil can modify the Registry to save encryption parameters and system information.[135][136][137][138][139] |
S0240 | ROKRAT |
ROKRAT can modify the |
S0090 | Rover |
Rover has functionality to remove Registry Run key persistence as a cleanup procedure.[141] |
S0148 | RTM |
RTM can delete all Registry entries created during its execution.[142] |
S0596 | ShadowPad |
ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system.[143][53] |
S0140 | Shamoon |
Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting |
S0444 | ShimRat |
ShimRat has registered two registry keys for shim databases.[147] |
S0589 | Sibot |
Sibot has modified the Registry to install a second-stage script in the |
G0091 | Silence |
Silence can create, delete, or modify a specified Registry key or value.[149] |
S0692 | SILENTTRINITY |
SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).[150] |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the |
S0649 | SMOKEDHAM |
SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.[152] |
S0157 | SOUNDBITE | |
S0142 | StreamEx | |
S0603 | Stuxnet | |
S0559 | SUNBURST |
SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their |
S0242 | SynAck | |
S0663 | SysUpdate |
SysUpdate can write its configuration file to |
G0092 | TA505 |
TA505 has used malware to disable Windows Defender through modification of the Registry.[159] |
S0011 | Taidoor |
Taidoor has the ability to modify the Registry on compromised hosts using |
S0467 | TajMahal |
TajMahal can set the |
S1011 | Tarrask |
Tarrask is able to delete the Security Descriptor ( |
S0560 | TEARDROP |
TEARDROP modified the Registry to create a Windows service for itself on a compromised host.[163] |
G0027 | Threat Group-3390 |
A Threat Group-3390 tool has created new Registry keys under |
S0665 | ThreatNeedle |
ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: |
S0668 | TinyTurla |
TinyTurla can set its configuration parameters in the Registry.[166] |
S0266 | TrickBot | |
G0010 | Turla |
Turla has modify Registry values to store payloads.[168][169] |
S0263 | TYPEFRAME |
TYPEFRAME can install encrypted configuration data under the Registry key |
S0022 | Uroburos |
Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components.[171] |
S0386 | Ursnif |
Ursnif has used Registry modifications as part of its installation routine.[172][173] |
S0476 | Valak |
Valak has the ability to modify the Registry key |
S0180 | Volgmer |
Volgmer modifies the Registry to store an encoded configuration file in |
S0670 | WarzoneRAT |
WarzoneRAT can create |
S0612 | WastedLocker |
WastedLocker can modify registry values within the |
S0579 | Waterbear |
Waterbear has deleted certain values from the Registry to load a malicious DLL.[182] |
G0102 | Wizard Spider |
Wizard Spider has modified the Registry key |
S0330 | Zeus Panda |
Zeus Panda modifies several Registry keys under |
S0350 | zwShell | |
S0412 | ZxShell |
ZxShell can create Registry entries to enable services to run.[186] |
ID | Mitigation | Description |
---|---|---|
M1024 | Restrict Registry Permissions |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis. |
DS0029 | Network Traffic | Network Traffic Flow |
Remote access to the registry can be achieved via
All of these behaviors call into the Windows API, which uses the NamedPipe WINREG over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function. Analytic 1 - Remote Registry
|
DS0009 | Process | OS API Execution |
Monitor for API calls associated with concealing Registry keys, such as Reghide. [2] Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns [4] and RegDelNull [187]. Other API calls relevant to Registry Modification include Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
Process Creation |
Monitor processes and command-line arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. (i.e. reg.exe, regedit.exe). The analytic is oriented around detecting invocations of Reg where the parent executable is an instance of cmd.exe that wasn’t spawned by explorer.exe. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exewill typically be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be baselined so they can be tuned out accordingly. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 - Suspicious Processes
Analytic 2 - Rare LolBAS Command Lines
|
||
DS0024 | Windows Registry | Windows Registry Key Creation |
Monitor for newly constructed registry keys or values to aid in persistence and execution. Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order and adversaries may execute their own malicious dll. Analytic 1 - Registry Edit with Creation of SafeDllSearchMode Key Set to 0
|
Windows Registry Key Deletion |
Monitor for unexpected deletion of windows registry keys to hide configuration information, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
||
Windows Registry Key Modification |
Monitor for changes made to windows registry keys or values. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). [188] Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Detection of modification of the registry key values of Notify, Userinit, and Shell located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. When a user logs on, the Registry key values of Notify, Userinit and Shell are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload. Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify
Analytic 2 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’
|