Modify Registry

Modify Registry [T1112]

Information

Name: Modify Registry
ID: T1112
Tactics:

Introduction

Modify Registry (Technique ID: T1112) is a persistence and defense evasion technique included in the MITRE ATT&CK framework. Attackers leverage registry modifications to ensure continuous access, evade detection, and maintain persistence on compromised Windows systems. Modifying registry keys allows adversaries to manipulate system behavior, disable security features, and execute malicious payloads automatically upon system startup or user login.

Deep Dive Into Technique

The Windows Registry is a hierarchical database that stores configuration settings and options for the operating system, applications, and hardware devices. Attackers commonly modify registry keys and values to achieve persistence, escalate privileges, disable security controls, or hide malicious activities.

Common registry modification methods include:

Registry Run Keys / Startup Keys:
- Attackers add entries to the following registry locations to ensure malware executes automatically upon system startup or user login:
  - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Service Registry Modifications:
- Adversaries create or modify registry keys related to Windows services to execute malicious binaries as system services, typically under:
  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Security Feature Disabling:
- Attackers alter registry keys to disable antivirus software, firewall settings, or Windows Defender. Common registry locations include:
  - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
Registry Modification for Privilege Escalation:
- Attackers may manipulate registry keys to escalate privileges, such as modifying the Image File Execution Options (IFEO) to hijack legitimate processes:
  - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Registry Keys for Credential Storage:
- Malicious actors may store credentials, configuration data, or encryption keys in registry keys to evade detection and maintain persistence.

Attackers typically use built-in utilities (reg.exe, PowerShell cmdlets), scripting languages, or malware to perform these modifications.

When this Technique is Usually Used

Attackers commonly employ registry modifications across multiple stages of the attack lifecycle, including:

Persistence:
- Establishing long-term access to compromised systems by ensuring malware executes automatically on startup or user login.
Privilege Escalation:
- Manipulating registry settings to escalate privileges or bypass User Account Control (UAC).
Defense Evasion:
- Disabling antivirus software, firewall policies, or other security controls by altering relevant registry settings.
Execution:
- Leveraging registry keys to execute malicious binaries, scripts, or payloads automatically.
Credential Access:
- Storing captured credentials or sensitive information discreetly within registry keys for later retrieval.
Command and Control (C2):
- Storing C2 server information or configuration parameters within registry keys to evade detection.

How this Technique is Usually Detected

Detection methods involve monitoring and analyzing registry activities, modifications, and related system behaviors. Key detection approaches include:

Registry Auditing and Monitoring:
- Enable auditing of registry key modifications through Windows Event Logs (Event ID 4657, 4656).
- Monitor specific registry locations commonly targeted by attackers, including Run keys, service keys, and security-related keys.
Endpoint Detection and Response (EDR) Tools:
- EDR solutions can detect suspicious registry modifications, correlate them with other malicious activities, and alert security teams.
Behavioral Analysis Tools:
- Tools like Sysmon can log detailed registry modifications, providing visibility into registry-based persistence or privilege escalation.
Indicators of Compromise (IoCs):
- Suspicious registry keys or values created or modified, such as:
  - Unexpected entries in Run keys or RunOnce keys.
  - Creation or modification of services with unusual binary paths.
  - Disabled security features (e.g., Windows Defender) via registry keys.
  - Unusual modifications to Image File Execution Options (IFEO) keys.
Threat Hunting Techniques:
- Regularly scan registry hives for anomalous entries or unauthorized changes.
- Correlate registry changes with other suspicious activities, such as unexpected process creation or network connections.

Why it is Important to Detect This Technique

Timely detection of registry modifications is critical due to the significant impact such techniques can have on systems and networks:

Persistence and Long-term Access:
- Attackers use registry modifications to maintain long-term access, making remediation and recovery difficult without detection.
Privilege Escalation:
- Unauthorized registry changes can lead to privilege escalation, allowing attackers to gain administrative rights and further compromise systems.
Defense Evasion:
- Disabling security controls via registry modifications leaves systems vulnerable to additional attacks and malware infections.
Data Exfiltration and Credential Theft:
- Attackers may store sensitive data or credentials in registry keys, facilitating stealthy exfiltration and further exploitation.
System Stability and Integrity:
- Malicious registry modifications can lead to system instability, degraded performance, or system crashes, impacting productivity and operational continuity.

Early detection allows organizations to quickly respond, isolate compromised systems, remediate threats, and prevent further damage or lateral movement within the network.

Examples

Real-world examples of registry modification techniques include:

APT41 (Winnti Group):
- Utilized registry Run keys for persistence, adding malicious binaries to execute during system startup, ensuring continuous access to compromised systems.
TrickBot Malware:
- Modified registry keys to disable Windows Defender and other security software:
  - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware set to 1.
FIN7 Group:
- Leveraged registry modifications to establish persistence by creating malicious Windows services under:
  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Emotet Malware:
- Persisted through registry Run keys, adding entries pointing to malicious executables, ensuring automatic execution upon user login.
Ryuk Ransomware:
- Modified registry keys to disable backups and shadow copies, hindering recovery efforts:
  - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections set to 0.
DarkComet RAT:
- Stored configuration and C2 addresses within registry keys, evading detection and facilitating stealthy command and control operations.

These examples demonstrate the widespread use and significant impact of registry modification techniques across various threat actors and malware families.

Last updated 1 month ago