← Back to Explore
T1112
Modify Registry
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contai...
Windows
197
Detections
4
Sources
29
Threat Actors
BY SOURCE
78sigma77splunk_escu41elastic1crowdstrike_cql
PROCEDURES (53)
Persist19 detections
Auto-extracted: 19 detections for persist
Registry18 detections
Auto-extracted: 18 detections for registry
Registry Monitoring15 detections
Auto-extracted: 15 detections for registry monitoring
Bypass12 detections
Auto-extracted: 12 detections for bypass
Ransomware9 detections
Auto-extracted: 9 detections for ransomware
Privilege9 detections
Auto-extracted: 9 detections for privilege
Service8 detections
Auto-extracted: 8 detections for service
Exfiltrat8 detections
Auto-extracted: 8 detections for exfiltrat
Registry7 detections
Auto-extracted: 7 detections for registry
Tamper7 detections
Auto-extracted: 7 detections for tamper
Evasion6 detections
Auto-extracted: 6 detections for evasion
Remote5 detections
Auto-extracted: 5 detections for remote
Suspicious5 detections
Auto-extracted: 5 detections for suspicious
Macro5 detections
Auto-extracted: 5 detections for macro
Lateral4 detections
Auto-extracted: 4 detections for lateral
Credential4 detections
Auto-extracted: 4 detections for credential
Startup4 detections
Auto-extracted: 4 detections for startup
Powershell3 detections
Auto-extracted: 3 detections for powershell
Event Log3 detections
Auto-extracted: 3 detections for event log
Unusual3 detections
Auto-extracted: 3 detections for unusual
Dump2 detections
Auto-extracted: 2 detections for dump
Encrypt2 detections
Auto-extracted: 2 detections for encrypt
Suspicious2 detections
Auto-extracted: 2 detections for suspicious
Process Creation Monitoring2 detections
Auto-extracted: 2 detections for process creation monitoring
Dns2 detections
Auto-extracted: 2 detections for dns
Script Block2 detections
Auto-extracted: 2 detections for script block
Http2 detections
Auto-extracted: 2 detections for http
Command And Control2 detections
Auto-extracted: 2 detections for command and control
Email2 detections
Auto-extracted: 2 detections for email
Office2 detections
Auto-extracted: 2 detections for office
Driver1 detections
Auto-extracted: 1 detections for driver
Dns1 detections
Auto-extracted: 1 detections for dns
Lsass1 detections
Auto-extracted: 1 detections for lsass
Lsass1 detections
Auto-extracted: 1 detections for lsass
Dump1 detections
Auto-extracted: 1 detections for dump
Wmi1 detections
Auto-extracted: 1 detections for wmi
Api1 detections
Auto-extracted: 1 detections for api
Tamper1 detections
Auto-extracted: 1 detections for tamper
Wmi1 detections
Auto-extracted: 1 detections for wmi
Powershell1 detections
Auto-extracted: 1 detections for powershell
Privilege1 detections
Auto-extracted: 1 detections for privilege
Inject1 detections
Auto-extracted: 1 detections for inject
Credential1 detections
Auto-extracted: 1 detections for credential
Suspicious1 detections
Auto-extracted: 1 detections for suspicious
Event Log1 detections
Auto-extracted: 1 detections for event log
Driver1 detections
Auto-extracted: 1 detections for driver
Tamper1 detections
Auto-extracted: 1 detections for tamper
Api1 detections
Auto-extracted: 1 detections for api
Remote1 detections
Auto-extracted: 1 detections for remote
Encrypt1 detections
Auto-extracted: 1 detections for encrypt
C21 detections
Auto-extracted: 1 detections for c2
Inject1 detections
Auto-extracted: 1 detections for inject
Unusual1 detections
Auto-extracted: 1 detections for unusual
THREAT ACTORS (29)
DETECTIONS (197)
Activate Suppression of Windows Security Center Notifications
sigmamedium
Add DisallowRun Execution to Registry
sigmamedium
Allow RDP Remote Assistance Feature
sigmamedium
Change the Fax Dll
sigmahigh
Change User Account Associated with the FAX Service
sigmahigh
ClickOnce Trust Prompt Tampering
sigmamedium
Code Signing Policy Modification Through Registry
elasticmedium
Component Object Model Hijacking
elasticlow
CrashControl CrashDump Disabled
sigmamedium
Deprecated - Encoded Executable Stored in the Registry
elasticmedium
DHCP Callout DLL Installation
sigmahigh
Disable Internal Tools or Feature in Registry
sigmamedium
Disable Registry Tool
splunk_escu
Disable Security Events Logging Adding Reg Key MiniNt
sigmahigh
Disable Security Logs Using MiniNt Registry
splunk_escu
Disable Show Hidden Files
splunk_escu
Disable Windows App Hotkeys
splunk_escu
Disable Windows Security Center Notifications
sigmamedium
Disabling CMD Application
splunk_escu
Disabling ControlPanel
splunk_escu
Disabling Lsa Protection via Registry Modification
elastichigh
Disabling NoRun Windows App
splunk_escu
Disabling User Account Control via Registry Modification
elasticmedium
DNS Global Query Block List Modified or Disabled
elasticmedium
DNS-over-HTTPS Enabled by Registry
sigmamedium
DNS-over-HTTPS Enabled via Registry
elasticlow
Enable LM Hash Storage
sigmahigh
Enable LM Hash Storage - ProcCreation
sigmahigh
Enable WDigest UseLogonCredential Registry
splunk_escu
ETW Logging Disabled For rpcrt4.dll
sigmalow
ETW Logging Disabled For SCM
sigmalow
ETW Logging Disabled In .NET Processes - Registry
sigmahigh
ETW Logging Disabled In .NET Processes - Sysmon Registry
sigmahigh
FodHelper UAC Bypass
splunk_escu
Full User-Mode Dumps Enabled System-Wide
elasticmedium
Image File Execution Options Injection
elasticmedium
Imports Registry Key From a File
sigmamedium
Imports Registry Key From an ADS
sigmahigh
Installation of Security Support Provider
elasticmedium
Local Account TokenFilter Policy Disabled
elasticmedium
Macro Enabled In A Potentially Suspicious Document
sigmahigh
Malicious InProcServer32 Modification
splunk_escu
Microsoft Windows Defender Tampering
elasticmedium
Modification of AmsiEnable Registry Key
elastichigh
Modification of IE Registry Settings
sigmalow
Modification of WDigest Security Provider
elastichigh
MS Office Macro Security Registry Modifications
elasticmedium
NET NGenAssemblyUsageLog Registry Key Tamper
sigmahigh
NetNTLM Downgrade Attack
sigmahigh
NetNTLM Downgrade Attack - Registry
sigmahigh
Netsh Helper DLL
elasticlow
Network-Level Authentication (NLA) Disabled
elasticlow
New BgInfo.EXE Custom DB Path Registry Configuration
sigmamedium
New BgInfo.EXE Custom VBScript Registry Configuration
sigmamedium
New BgInfo.EXE Custom WMI Query Registry Configuration
sigmamedium
New DNS ServerLevelPluginDll Installed
sigmahigh
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
sigmahigh
Non-privileged Usage of Reg or Powershell
sigmahigh
NullSessionPipe Registry Modification
elasticmedium
Office Macros Warning Disabled
sigmahigh
Office Test Registry Persistence
elasticlow
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
sigmahigh
Outlook Home Page Registry Modification
elastichigh
Persistence via Hidden Run Key Detected
elastichigh
Persistence via WMI Standard Registry Provider
elastichigh
Port Forwarding Rule Addition
elasticmedium
Potential NetNTLMv1 Downgrade Attack
elasticmedium
Potential Persistence Via Custom Protocol Handler
sigmamedium
Potential Persistence Via Event Viewer Events.asp
sigmamedium
Potential Persistence via Mandatory User Profile
elasticmedium
Potential Persistence Via Outlook Home Page
sigmahigh
Potential Persistence Via Outlook Today Page
sigmahigh
Potential Privilege Escalation via Service ImagePath Modification
elasticmedium
Potential Qakbot Registry Activity
sigmahigh
Potential RemoteMonologue Attack
elasticmedium
Potential Suspicious Registry File Imported Via Reg.EXE
sigmamedium
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
sigmahigh
Potentially Suspicious Desktop Background Change Using Reg.EXE
sigmamedium
Potentially Suspicious Desktop Background Change Via Registry
sigmamedium
PowerShell Logging Disabled Via Registry Key Tampering
sigmahigh
PowerShell Script Block Logging Disabled
elasticmedium
Privilege Escalation via Windir Environment Variable
elastichigh
RDP Enabled via Registry
elasticmedium
RDP Sensitive Settings Changed
sigmahigh
RDP Sensitive Settings Changed to Zero
sigmamedium
RedMimicry Winnti Playbook Registry Manipulation
sigmahigh
Reg Add Suspicious Paths
sigmahigh
Registry Entries For Azorult Malware
sigmacritical
Registry Explorer Policy Modification
sigmamedium
Registry Hide Function from User
sigmamedium
Registry Manipulation via WMI Stdregprov
sigmamedium
Registry Modification Attempt Via VBScript
sigmamedium
Registry Modification Attempt Via VBScript - PowerShell
sigmamedium
Registry Modification for OCI DLL Redirection
sigmahigh
Registry Modification of MS-settings Protocol Handler
sigmamedium
Registry Modification Via Regini.EXE
sigmalow
Registry Persistence via AppInit DLL
elasticmedium
Registry Tampering by Potentially Suspicious Processes
sigmamedium
Remcos client registry install entry
splunk_escu
Remote Registry Lateral Movement
sigmahigh
Removal of Potential COM Hijacking Registry Keys
sigmamedium
RestrictedAdminMode Registry Value Tampering
sigmahigh
RestrictedAdminMode Registry Value Tampering - ProcCreation
sigmahigh
Revil Registry Entry
splunk_escu
Run Once Task Configuration in Registry
sigmamedium
Run Once Task Execution as Configured in Registry
sigmalow
Rundll32 Shimcache Flush
splunk_escu
Security Event Logging Disabled via MiniNt Registry Key - Process
sigmahigh
Security Event Logging Disabled via MiniNt Registry Key - Registry Set
sigmahigh
Service Binary in Suspicious Folder
sigmahigh
ShimCache Flush
sigmahigh
SolarWinds Process Disabling Services via Registry
elasticmedium
Startup or Run Key Registry Modification
elasticlow
Suspicious ImagePath Service Creation
elastichigh
Suspicious Print Spooler Point and Print DLL
elastichigh
Suspicious Reg exe Process
splunk_escu
Suspicious Registry Modification From ADS Via Regini.EXE
sigmahigh
Suspicious Registry Modifications
crowdstrike_cql
Suspicious Startup Shell Folder Modification
elastichigh
Suspicious VBoxDrvInst.exe Parameters
sigmamedium
Sysmon Channel Reference Deletion
sigmahigh
Terminal Server Client Connection History Cleared - Registry
sigmahigh
Trust Access Disable For VBApplications
sigmahigh
Uncommon Microsoft Office Trusted Location Added
sigmahigh
Uncommon Registry Persistence Change
elasticmedium
Unusual Persistence via Services Registry
elasticlow
User Shell Folders Registry Modification via CommandLine
sigmahigh
Wdigest CredGuard Registry Modification
sigmahigh
Wdigest Enable UseLogonCredential
sigmahigh
Werfault ReflectDebugger Persistence
elasticlow
Windows Defender ASR Registry Modification
splunk_escu
Windows Defender ASR Rule Disabled
splunk_escu
Windows Defender Disabled via Registry Modification
elasticlow
Windows Deleted Registry By A Non Critical Process File Path
splunk_escu
Windows Disable Change Password Through Registry
splunk_escu
Windows Disable Lock Workstation Feature Through Registry
splunk_escu
Windows Disable LogOff Button Through Registry
splunk_escu
Windows Disable Notification Center
splunk_escu
Windows Disable Shutdown Button Through Registry
splunk_escu
Windows Disable Windows Group Policy Features Through Registry
splunk_escu
Windows Event Log Access Tampering Via Registry
sigmahigh
Windows Hide Notification Features Through Registry
splunk_escu
Windows Impair Defenses Disable AV AutoStart via Registry
splunk_escu
Windows InProcServer32 New Outlook Form
splunk_escu
Windows Modify Registry AuthenticationLevelOverride
splunk_escu
Windows Modify Registry Auto Minor Updates
splunk_escu
Windows Modify Registry Auto Update Notif
splunk_escu
Windows Modify Registry Configure BitLocker
splunk_escu
Windows Modify Registry Default Icon Setting
splunk_escu
Windows Modify Registry Delete Firewall Rules
splunk_escu
Windows Modify Registry Disable RDP
splunk_escu
Windows Modify Registry Disable Restricted Admin
splunk_escu
Windows Modify Registry Disable Toast Notifications
splunk_escu
Windows Modify Registry Disable Win Defender Raw Write Notif
splunk_escu
Windows Modify Registry Disable WinDefender Notifications
splunk_escu
Windows Modify Registry Disable Windows Security Center Notif
splunk_escu
Windows Modify Registry DisableRemoteDesktopAntiAlias
splunk_escu
Windows Modify Registry DisableSecuritySettings
splunk_escu
Windows Modify Registry Disabling WER Settings
splunk_escu
Windows Modify Registry DisAllow Windows App
splunk_escu
Windows Modify Registry Do Not Connect To Win Update
splunk_escu
Windows Modify Registry DontShowUI
splunk_escu
Windows Modify Registry EnableLinkedConnections
splunk_escu
Windows Modify Registry LongPathsEnabled
splunk_escu
Windows Modify Registry MaxConnectionPerServer
splunk_escu
Windows Modify Registry No Auto Reboot With Logon User
splunk_escu
Windows Modify Registry No Auto Update
splunk_escu
Windows Modify Registry NoChangingWallPaper
splunk_escu
Windows Modify Registry on Smart Card Group Policy
splunk_escu
Windows Modify Registry ProxyEnable
splunk_escu
Windows Modify Registry ProxyServer
splunk_escu
Windows Modify Registry Qakbot Binary Data Registry
splunk_escu
Windows Modify Registry Regedit Silent Reg Import
splunk_escu
Windows Modify Registry Risk Behavior
splunk_escu
Windows Modify Registry Suppress Win Defender Notif
splunk_escu
Windows Modify Registry Tamper Protection
splunk_escu
Windows Modify Registry to Add or Modify Firewall Rule
splunk_escu
Windows Modify Registry UpdateServiceUrlAlternate
splunk_escu
Windows Modify Registry USeWuServer
splunk_escu
Windows Modify Registry Utilize ProgIDs
splunk_escu
Windows Modify Registry ValleyRAT C2 Config
splunk_escu
Windows Modify Registry ValleyRat PWN Reg Entry
splunk_escu
Windows Modify Registry With MD5 Reg Key Name
splunk_escu
Windows Modify Registry WuServer
splunk_escu
Windows Modify Registry wuStatusServer
splunk_escu
Windows Modify Show Compress Color And Info Tip Registry
splunk_escu
Windows New InProcServer32 Added
splunk_escu
Windows Outlook Dialogs Disabled from Unusual Process
splunk_escu
Windows Outlook LoadMacroProviderOnBoot Persistence
splunk_escu
Windows Outlook WebView Registry Modification
splunk_escu
Windows Routing and Remote Access Service Registry Key Change
splunk_escu
Windows RunMRU Registry Key or Value Deleted
splunk_escu
Windows Set Network Profile Category to Private via Registry
splunk_escu
Windows Snake Malware Registry Modification wav OpenWithProgIds
splunk_escu
Windows SnappyBee Create Test Registry
splunk_escu
Windows Subsystem for Linux Distribution Installed
elasticmedium
Winlogon AllowMultipleTSSessions Enable
sigmamedium