ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Windows Registry Key Creation

Initial construction of a new registry key within the Windows operating system.

Data Collection Measures:

Windows Event Logs
- Event ID 4656 - Registry Object Handle Requested: Tracks registry key access, including newly created keys.
- Event ID 4657 - Registry Value Modification: Detects modifications to an existing registry key after creation.
Sysmon (System Monitor) for Windows
- Sysmon Event ID 12 - Registry Key Created: Logs when a new registry key is created.

ID: DC0056

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
WinEventLog:Sysmon	EventCode=12

Detection Strategy

ID	Name	Technique Detected
DET0496	Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)	T1219
DET0312	Detect Active Setup Persistence via StubPath Execution	T1547.014
DET0225	Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)	T1547.008
DET0361	Detecting .NET COM Registration Abuse via Regsvcs/Regasm	T1218.009
DET0222	Detecting MMC (.msc) Proxy Execution and Malicious COM Activation	T1218.014
DET0194	Detection of Malicious Control Panel Item Execution via control.exe or Rundll32	T1218.002
DET0328	Detection of Malicious Profile Installation via CMSTP.exe	T1218.003
DET0422	Detection Strategy for IFEO Injection on Windows	T1546.012
DET0317	Detection Strategy for Impair Defenses Across Platforms	T1562
DET0116	Detection Strategy for Safe Mode Boot Abuse	T1562.009
DET0056	Detection Strategy for Subvert Trust Controls via Install Root Certificate.	T1553.004