Description
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API. The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019) The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication. Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)
Threat-Mapped Scoring
ATT&CK Kill Chain Metadata
- Tactics: defense-evasion, persistence
- Platforms: Windows
-
Detection Guidance:
Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).
Malware
- ADVSTORESHELL
- Agent Tesla
- Amadey
- Attor
- Avaddon
- BACKSPACE
- BADCALL
- Bankshot
- Bisonal
- BitPaymer
- Black Basta
- BlackByte 2.0 Ransomware
- BlackByte Ransomware
- BlackCat
- CHIMNEYSWEEP
- CHOPSTICK
- Cardinal RAT
- Catchamas
- Caterpillar WebShell
- Chaes
- CharmPower
- Clambling
- Clop
- Cobalt Strike
- ComRAT
- Conficker
- Crimson
- DCSrv
- DarkComet
- DarkTortilla
- DarkWatchman
- EVILNUM
- Exaramel for Windows
- Explosive
- FELIXROOT
- Ferocious
- Gelsemium
- Grandoreiro
- GreyEnergy
- HOPLIGHT
- HermeticWiper
- Hydraq
- HyperStack
- IPsec Helper
- InvisiMole
- KEYMARBLE
- KOCTOPUS
- KONNI
- Kapeka
- LoJax
- LockBit 2.0
- LockBit 3.0
- Lokibot
- Mafalda
- MegaCortex
- Metamorfo
- Mori
- Mosquito
- NETWIRE
- Naid
- NanoCore
- Neoichor
- Nerex
- Netwalker
- NightClub
- Orz
- PHOREAL
- PLAINTEE
- Pandora
- Pillowmint
- PipeMon
- PlugX
- PoetRAT
- PoisonIvy
- PolyglotDuke
- PowerShower
- Prestige
- Pysa
- QUADAGENT
- QakBot
- RCSession
- REvil
- ROKRAT
- RTM
- RegDuke
- Regin
- Rover
- SLOTHFULMEDIA
- SMOKEDHAM
- SOUNDBITE
- SUNBURST
- Samurai
- ShadowPad
- Shamoon
- ShimRat
- ShrinkLocker
- Sibot
- StreamEx
- Stuxnet
- SynAck
- SysUpdate
- TEARDROP
- TRANSLATEXT
- TYPEFRAME
- Taidoor
- TajMahal
- Tarrask
- ThreatNeedle
- TinyTurla
- TrickBot
- Uroburos
- Ursnif
- Valak
- Volgmer
- WarzoneRAT
- WastedLocker
- Waterbear
- Zeus Panda
- ZxShell
- gh0st RAT
- metaMain
- njRAT
- zwShell