T1112
Modify Registry
One technique to rule many techniques, adversaries modify the registry to harvest credentials, bypass security controls, and much more.
Pairs with this song Threat sounds
In a nod to how adversaries modify registry keys like HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, we picked the Queen Bey song with the most key changes (four!).
Editor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been updated since 2023.
Analysis
Why do adversaries modify the registry?
The registry being a generic database used by Windows for myriad purposes means that an adversary can use it for myriad purposes too. However, modification of the registry is a means to an end for executing other techniques. The following, non-exhaustive list comprises the various techniques that registry modification facilitates:
Boot or Logon Autostart Execution (T1547)
Example registry keys that facilitate this technique:
[HKLM|HKCU]SOFTWARE\Microsoft\Windows\CurrentVersion\Run[HKLM|HKCU]SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OS Credential Dumping (T1003)
Example registry keys that facilitate this technique:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest - UseLogonCredentialHKLM\SECURITY\Policy\Secrets- Reference: Dumping LSA Secrets
Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
Example registry keys that facilitate this technique:
HKCU\Software\Classes\ms-settings\shell\open\command- Reference: UAC Bypass – Fodhelper
Inhibit System Recovery (T1490)
Example registry keys that facilitate this technique:
HKLM\BCD00000000\Objects- Reference: Detecting BCD Changes To Inhibit System Recovery
HKLM\SOFTWARE\Policies\Microsoft\FVE- Reference: Bitlocker Ransomware: Using BitLocker for Nefarious Reasons
Execution Guardrails (T1480.001)
Adversaries will commonly store payloads and/or key material to decrypt/decode payloads. The benefit to an adversary is that their payload is stored separate from the runner, making detection, forensics, and analysis more difficult. An adversary can select any registry key/value to store their payload and/or key material. For example, Solarmarker malware stores some of its payload in the HKCU\SOFTWARE key.
Impair Defenses (T1562)
Example registry keys that facilitate this technique:
[HKLM|HKCU]\Software\Microsoft\Windows Script\Settings - AmsiEnable- Reference: Hunting for AMSI bypasses
HKLM\SOFTWARE\Microsoft\AMSI\Providers- Reference: AMSI Bypass Methods
Indicator Removal (T1070)
Example registry keys that facilitate this technique:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs- Reference: Windows Registry in forensic analysis
Subvert Trust Controls: SIP and Trust Provider Hijacking (T1553.003)
Example registry keys that facilitate persistence:
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust- Reference: Subverting Trust in Windows
Subvert Trust Controls: Install Root Certificate (T1553.004)
Example registry keys that facilitate persistence:
HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
How do adversaries modify the registry?
Considering how common it is to perform registry operations in Windows and all the different techniques it facilitates, there are many different ways to modify the registry. An adversary has the following, non-exhaustive list of options when modifying the registry:
Win32 APIs, Native APIs, Syscalls
An adversary can interact with registry APIs directly, including RegCreateKey, RegSetValue, [Nt/Zw]CreateKey, and [Nt/Zw]SetValueKey, among others.
Windows Script Host (VBScript/JScript)
Both VBScript and JScript code can perform registry modifications by using the RegWrite method.
Registry modification will occur within the context of the process that executed the VBScript or JScript code: e.g., cscript.exe, wscript.exe, scrcons.exe, etc.
PowerShell
PowerShell has the following built-in cmdlets for performing registry modification: New-Item and Set-ItemProperty.
reg.exe
The built-in reg.exe utility can be used to perform registry modifications both directly on the command line and by importing a text file consisting of desired registry modifications.
Registry modification will occur within the context of reg.exe.
regini.exe
The built-in regini.exe utility can be used to perform registry modifications. It consumes a text file consisting of registry modifications to perform.
Registry modification will occur within the context of regini.exe.
Windows Management Instrumentation (WMI)
The WMI StdRegProv class exposes the following methods for performing registry modification: CreateKey, SetBinaryValue, SetDWORDValue, SetQWORDValue, SetExpandedStringValue, SetMultiStringValue, and SetStringValue.
Registry modification will occur within the context of wmiprvse.exe.
MSI files
MSI files expose a WriteRegistryValues Action to support the creation and modification of registry keys and values.
Registry modification will occur within the context of msiexec.exe.
Associated threats
Take Action
There is no generalized guidance for preventing registry modification. Registry modification needs to occur in Windows, as it is the primary storage mechanism for software configurations.
Tactical prevention is possible in limited scenarios, however, where more restrictive Access Control Lists (ACL) can be defined for specific, targeted registry keys. Registry access is already locked down fairly well, however. For example, the majority of modifications to the HKEY_LOCAL_MACHINE (HKLM) hive requires administrative access. Be mindful, however, that modifying existing registry key ACLs can affect system stability if performed incorrectly. Detection should be a priority over prevention/mitigation beyond the default operating system ACLs.
Visibility
Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components.
Windows Registry
MITRE tracks Windows Registry (DS0024) as a data source for observing registry modification. Windows supports native registry monitoring through the application of System Access Control Lists (SACL), which will log registry modification events as event ID 4657. Vendors can also track registry modification in the kernel using a RegistryCallback routine.
Collection
Note: The collection sections of this report showcase specific log sources from Windows events, Sysmon, and elsewhere that you can use to collect relevant security information.
Sysmon event IDs 12, 13, and 14: RegistryEvents
Sysmon is a wonderful tool for collecting registry modification events with its support of RegistryEvent events (event ID 12, 13, and 14).
The following Sysmon configuration snippet can be used to log registry modification. This will log registry events that will be used in the tests below.
<RegistryEvent onmatch="include">
<TargetObject condition="end with">Software\Microsoft\Windows Script\Settings\AmsiEnable</TargetObject>
</RegistryEvent>
Here is the content of an example captured event:
Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2023-01-24 18:37:15.583
ProcessGuid: {341a3ad8-2493-63d0-5e14-000000000700}
ProcessId: 8508
Image: C:\Windows\regedit.exe
TargetObject: HKU\S-1-5-21-2813513604-3727797718-1720596618-1001\Software\Microsoft\Windows Script\Settings\AmsiEnable
Details: DWORD (0x00000000)
User: TestHost\Tester
Detection opportunities
Due to the broad applicability of registry modification for legitimate and malicious purposes, higher-signal detection strategies will entail narrowing the scope of detections to registry modifications targeting specific techniques and/or threats, some of which are outlined above. There can never be a generic, high-signal “registry modification” detection analytic due to the overly broad scope of the registry and its inherent dual-use nature.
To that point, as of this writing, we have 87 detection analytics that look for various flavors of malicious and suspicious registry modifications. Many of them rely on exclusions or regular expressions, and, while they’re effective at Red Canary scale, they’re prohibitively complicated and difficult to synthesize into a report like this one. As such, in lieu of specific pseudo-detectors, we offer the following guidance as a starting point for detection:
Some registry modification utilities are used much less than others and could serve as the basis of a more tool-focused, generic detection. For example, wscript.exe and regini.exe are used relatively infrequently for legitimate purposes.
Depending on the size and maturity of the environment, spending the time to tune out expected activity for run keys can provide your detection team with an easy way to detect a common persistence mechanism for commodity malware.
Testing
There are many ways to perform registry modification. The following tests will highlight setting a single registry value using multiple techniques. These tests are not meant to be all-inclusive, but represent a significant cross-section of methods for performing registry modification at an adversary’s disposal. The registry value that will be set using the varying techniques is the following:
HKCU\Software\Microsoft\Windows Script\Settings - AmsiEnable (REG_DWORD) - 0x00000000
You can find removal instruction here.
VBScript
Save the following VBScript content to amsi.vbs:
WScript.CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable", 0, "REG_DWORD"
Execute the above VBScript code by executing the following:
cscript.exe amsi.vbs
Alternatively, wscript.exe can be used:
wscript.exe amsi.vbs
JScript
Save the following VBScript content to amsi.js:
(new ActiveXObject("WScript.Shell")).RegWrite("HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", 0, "REG_DWORD");
Execute the above VBScript code by executing the following:
cscript.exe amsi.js
Alternatively, wscript.exe can be used:
wscript.exe amsi.js
PowerShell
Set-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings' -Name 'AmsiEnable' -Type DWord -Value 0
reg.exe
The following example demonstrates setting a registry value directly at the command line:
reg.exe ADD "HKCU\Software\Microsoft\Windows Script\Settings" /v AmsiEnable /t REG_DWORD /d 0x00000000
Alternatively, reg.exe can import a text file consisting of the desired registry settings. Save the following text to amsi.reg:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings]
"AmsiEnable"=dword:00000000And execute the following:
reg.exe import amsi.reg
regini.exe
Save the following content to amsi.txt:
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
"AmsiEnable" = REG_DWORD 0And execute the following:
regini.exe amsi.txt
WMI
There are many different ways to interact with WMI. We will use PowerShell in this example:
Invoke-CimMethod -Namespace 'ROOT/default' -ClassName 'StdRegProv' -MethodName 'SetDWORDValue' -Arguments @{
hDefKey = ([UInt32] 2147483649)
sSubKeyName = 'Software\Microsoft\Windows Script\Settings'
sValueName = 'AmsiEnable'
uValue = ([UInt32] '0x00000000')
}The Set-ATHRegistry function within the AtomicTestHarnesses module can also be used to generate most of the above examples automatically. The following examples generated most of the above content:
Set-ATHRegistry -Method VBScriptWscriptShellRegWrite -Hive HKCU -KeyPath 'Software\Microsoft\Windows Script\Settings' -ValueName AmsiEnable -ValueDword 0
Set-ATHRegistry -Method JScriptWscriptShellRegWrite -Hive HKCU -KeyPath 'Software\Microsoft\Windows Script\Settings' -ValueName AmsiEnable -ValueDword 0
Set-ATHRegistry -Method PowerShell -Hive HKCU -KeyPath 'Software\Microsoft\Windows Script\Settings' -ValueName AmsiEnable -ValueDword 0
Set-ATHRegistry -Method RegExeCommandLine -Hive HKCU -KeyPath 'Software\Microsoft\Windows Script\Settings' -ValueName AmsiEnable -ValueDword 0
Set-ATHRegistry -Method WMI -Hive HKCU -KeyPath 'Software\Microsoft\Windows Script\Settings' -ValueName AmsiEnable -ValueDword 0