Applied Cybernetics Group
T1112 — Modify Registry
- Technique
T1112- Tactics
- Defense Impairment, Persistence
- MISP citations
- 0
- KEV CVEs mapped
- 4
- Community rules
- 94
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1112
MITRE description
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API. The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to impair defenses, such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019) The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication. Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- OceanLotus Registry Activity (emerging-threats)
- OilRig APT Activity (emerging-threats)
- OilRig APT Registry Persistence (emerging-threats)
- OilRig APT Schedule Task Persistence - Security (emerging-threats)
- OilRig APT Schedule Task Persistence - System (emerging-threats)
- Potential Ursnif Malware Activity - Registry (emerging-threats)
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry (emerging-threats)
- Blue Mockingbird (emerging-threats)
- Blue Mockingbird - Registry (emerging-threats)
- FlowCloud Registry Markers (emerging-threats)
- Blackbyte Ransomware Registry (emerging-threats)
- Potential NetWire RAT Activity - Registry (emerging-threats)
- Potential Raspberry Robin Registry Set Internet Settings ZoneMap (emerging-threats)
- Access To .Reg/.Hive Files By Uncommon Applications (threat-hunting)
- Microsoft Office Trusted Location Updated (threat-hunting)
- Service Binary in User Controlled Folder (threat-hunting)
- Remote Registry Lateral Movement (core)
- ETW Logging Disabled In .NET Processes - Registry (core)
- NetNTLM Downgrade Attack (core)
- Sysmon Channel Reference Deletion (core)
- Registry Modification Attempt Via VBScript - PowerShell (core)
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE (core)
- Security Event Logging Disabled via MiniNt Registry Key - Process (core)
- Potentially Suspicious Desktop Background Change Using Reg.EXE (core)
- Potential Suspicious Registry File Imported Via Reg.EXE (core)
Showing 25 of 94 community rules —
the full set is tagged attack.t1112 in
SigmaHQ.