ATT&CK v19 has been released! Check out the blog post for more information.

Windows Registry Key Creation

Initial construction of a new registry key within the Windows operating system.

ID: DC0056

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
WinEventLog:Sysmon	EventCode=12

Detection Strategy

ID	Name	Technique Detected
DET0496	Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)	T1219
DET0312	Detect Active Setup Persistence via StubPath Execution	T1547.014
DET0225	Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)	T1547.008
DET0901	Detect Windows Firewall	T1686.003
DET0361	Detecting .NET COM Registration Abuse via Regsvcs/Regasm	T1218.009
DET0222	Detecting MMC (.msc) Proxy Execution and Malicious COM Activation	T1218.014
DET0194	Detection of Malicious Control Panel Item Execution via control.exe or Rundll32	T1218.002
DET0328	Detection of Malicious Profile Installation via CMSTP.exe	T1218.003
DET0422	Detection Strategy for IFEO Injection on Windows	T1546.012
DET0116	Detection Strategy for Safe Mode Boot Abuse	T1688
DET0056	Detection Strategy for Subvert Trust Controls via Install Root Certificate.	T1553.004