Windows Registry Key Modification

Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.

Data Collection Measures:

Windows Event Logs
- Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.
Sysmon (System Monitor) for Windows
- Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.
- Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.
Endpoint Detection and Response (EDR) Solutions
- Monitor registry modifications for suspicious behavior.

ID: DC0063

Domains: ICS, Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 22 October 2025

Log Sources

Name	Channel
m365:unified	MacroSecuritySettingsChanged or SafeModeDisabled
macos:unifiedlog	g_CiOptions modification or SIP state change
Windows Registry	None
WinEventLog:Security	EventCode=4657
WinEventLog:Security	EventCode=4663
WinEventLog:Security	EventCode=4670
WinEventLog:Security	modification to Winlogon registry keys such as Shell, Notify, or Userinit
WinEventLog:Security	Registry key modification HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
WinEventLog:Sysmon	EventCode=13
WinEventLog:Sysmon	EventCode=14
WinEventLog:Sysmon	StubPath value written under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
WinEventLog:Sysmon	EventCode=13, 14
WinEventLog:Sysmon	Autoruns reports DLLs in AppInit_DLLs key

Detection Strategy

ID	Name	Technique Detected
DET0088	Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)	T1518.002
DET0280	Behavior-Based Registry Modification Detection on Windows	T1112
DET0496	Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)	T1219
DET0329	Behavioral Detection for T1490 - Inhibit System Recovery	T1490
DET0010	Behavioral Detection of Event Triggered Execution Across Platforms	T1546
DET0184	Behavioral Detection of Indicator Removal Across Platforms	T1070
DET0089	Behavioral Detection of Keylogging Activity Across Platforms	T1056.001
DET0049	Behavioral Detection of Network History and Configuration Tampering	T1070.007
DET0274	Boot or Logon Autostart Execution Detection Strategy	T1547
DET0112	Boot or Logon Initialization Scripts Detection Strategy	T1037
DET0309	Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)	T1195.002
DET0085	Credential Dumping from SAM via Registry Dump and Local File Access	T1003.002
DET0122	Detect Abuse of Windows Time Providers for Persistence	T1547.003
DET0412	Detect Access or Search for Unsecured Credentials Across Platforms	T1552
DET0312	Detect Active Setup Persistence via StubPath Execution	T1547.014
DET0296	Detect Adversary-in-the-Middle via Network and Configuration Anomalies	T1557
DET0523	Detect Code Signing Policy Modification (Windows & macOS)	T1553.006
DET0250	Detect Credential Discovery via Windows Registry Enumeration	T1552.002
DET0061	Detect Default File Association Hijack via Registry & Execution Correlation on Windows	T1546.001
DET0187	Detect disabled Windows event logging	T1562.002
DET0462	Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows	T1557.001
DET0207	Detect LSA Authentication Package Persistence via Registry and LSASS DLL Load	T1547.002
DET0472	Detect Malicious Password Filter DLL Registration	T1556.002
DET0104	Detect Modification of Authentication Processes Across Platforms	T1556
DET0580	Detect Network Provider DLL Registration and Credential Capture	T1556.008
DET0398	Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks	T1137
DET0050	Detect Persistence via Malicious Office Add-ins	T1137.006
DET0519	Detect Persistence via Office Template Macro Injection or Registry Hijack	T1137.001
DET0315	Detect Persistence via Office Test Registry DLL Injection	T1137.002
DET0365	Detect Registry and Startup Folder Persistence (Windows)	T1547.001
DET0154	Detect Screensaver-Based Persistence via Registry and Execution Chains	T1546.002
DET0452	Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation	T1553
DET0225	Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)	T1547.008
DET0404	Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows	T1547.004
DET0361	Detecting .NET COM Registration Abuse via Regsvcs/Regasm	T1218.009
DET0350	Detecting Downgrade Attacks	T1562.010
DET0044	Detecting Malicious Browser Extensions Across Platforms	T1176.001
DET0222	Detecting MMC (.msc) Proxy Execution and Malicious COM Activation	T1218.014
DET0764	Detection of Adversary-in-the-Middle	T0830
DET0363	Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence	T1003.001
DET0145	Detection of Disabled or Modified System Firewalls across OS Platforms.	T1562.004
DET0497	Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms.	T1562.001
DET0750	Detection of Indicator Removal on Host	T0872
DET0092	Detection of Malicious or Unauthorized Software Extensions	T1176
DET0328	Detection of Malicious Profile Installation via CMSTP.exe	T1218.003
DET0040	Detection of Persistence Artifact Removal Across Host Platforms	T1070.009
DET0209	Detection of Registry Query for Environmental Discovery	T1012
DET0765	Detection of Service Stop	T0881
DET0746	Detection of Spoof Reporting Message	T0856
DET0441	Detection of Suspicious Scheduled Task Creation and Execution on Windows	T1053.005
DET0571	Detection of System Process Creation or Modification Across Platforms	T1543
DET0552	Detection of Windows Service Creation or Modification	T1543.003
DET0345	Detection Strategy for Abuse Elevation Control Mechanism (T1548)	T1548
DET0033	Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification	T1546.008
DET0362	Detection Strategy for AppCert DLLs Persistence via Registry Injection	T1546.009
DET0017	Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)	T1546.011
DET0579	Detection Strategy for Device Driver Discovery	T1652
DET0557	Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows)	T1546.010
DET0344	Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory	T1027.011
DET0502	Detection Strategy for Hidden Artifacts Across Platforms	T1564
DET0461	Detection Strategy for Hidden File System Abuse	T1564.005
DET0353	Detection Strategy for Hidden User Accounts	T1564.002
DET0321	Detection Strategy for Hidden Virtual Instance Execution	T1564.006
DET0128	Detection Strategy for Hidden Windows	T1564.003
DET0218	Detection Strategy for Hijack Execution Flow across OS platforms.	T1574
DET0201	Detection Strategy for Hijack Execution Flow for DLLs	T1574.001
DET0064	Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path	T1574.009
DET0427	Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness.	T1574.011
DET0004	Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable.	T1574.007
DET0479	Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER.	T1574.012
DET0422	Detection Strategy for IFEO Injection on Windows	T1546.012
DET0317	Detection Strategy for Impair Defenses Across Platforms	T1562
DET0239	Detection Strategy for Impair Defenses Indicator Blocking	T1562.006
DET0246	Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying	T1111
DET0575	Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows)	T1546.007
DET0391	Detection Strategy for Runtime Data Manipulation.	T1565.003
DET0116	Detection Strategy for Safe Mode Boot Abuse	T1562.009
DET0442	Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking.	T1553.003
DET0056	Detection Strategy for Subvert Trust Controls via Install Root Certificate.	T1553.004
DET0279	Detection Strategy for System Services across OS platforms.	T1569
DET0421	Detection Strategy for System Services Service Execution	T1569.002
DET0042	Detection Strategy for T1218.012 Verclsid Abuse	T1218.012
DET0212	Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows)	T1505.005
DET0204	Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows)	T1547.010
DET0388	Detection Strategy for T1548.002 – Bypass User Account Control (UAC)	T1548.002
DET0562	Multi-Platform Execution Guardrails Environmental Validation Detection Strategy	T1480
DET0542	Registry and LSASS Monitoring for Security Support Provider Abuse	T1547.005
DET0009	Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)	T1195.001
DET0481	Windows COM Hijacking Detection via Registry and DLL Load Correlation	T1546.015
DET0026	Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence	T1547.012