Windows Registry

A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations[1]

ID: DS0024
Platform: Windows
Collection Layer: Host
Version: 1.0
Created: 20 October 2021
Last Modified: 11 May 2022

Data Components

Windows Registry: Windows Registry Key Access

Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)

Windows Registry: Windows Registry Key Access

Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)

Domain ID Name Detects
Enterprise T1003 OS Credential Dumping

Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.

.002 Security Account Manager

Monitor for the SAM registry key dump being created to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

.004 LSA Secrets

Monitor for the LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets being accessed

Enterprise T1012 Query Registry

Monitor for unexpected process interactions with the Windows Registry (i.e. reads) that may be related to gathering information.

Enterprise T1649 Steal or Forge Authentication Certificates

Monitor for attempts to access information stored in the Registry about certificates and their associated private keys. For example, user certificates are commonly stored under HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates.[2][3]

Enterprise T1614 .001 System Location Discovery: System Language Discovery

Monitor for access to windows registry keys that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Enterprise T1033 System Owner/User Discovery

Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.

Enterprise T1552 Unsecured Credentials

Monitor for unexpected windows registry key being accessed that may search compromised systems to find and obtain insecurely stored credentials.

.002 Credentials in Registry

Monitor for unexpected windows registry key being accessed that may search the Registry on compromised systems for insecurely stored credentials.

Windows Registry: Windows Registry Key Creation

Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)

Windows Registry: Windows Registry Key Creation

Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)

Domain ID Name Detects
Enterprise T1547 Boot or Logon Autostart Execution

Monitor for additions of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.

.001 Registry Run Keys / Startup Folder

Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

.014 Active Setup

Monitor Registry key additions to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.[4] Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Enterprise T1037 Boot or Logon Initialization Scripts

Monitor for newly constructed windows registry keys that may use scripts automatically executed at boot or logon initialization to establish persistence.

.001 Logon Script (Windows)

Monitor for the creation/modification to Registry keys associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript.

Enterprise T1176 Browser Extensions

Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.

Enterprise T1543 Create or Modify System Process

Monitor for newly constructed windows registry keys that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

.003 Windows Service

Monitor for new constructed windows registry keys that may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.

Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer.[5]

.009 Impair Defenses: Safe Mode Boot

Monitor Registry creation for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a * in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{Path}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.[6][7]

Enterprise T1112 Modify Registry

Monitor for newly constructed registry keys or values to aid in persistence and execution.

Enterprise T1137 Office Application Startup

Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.[8][9]

.001 Office Template Macros

Collect events related to Registry key creation for keys that could be used for Office-based persistence.[8][9]

.002 Office Test

Monitor for the creation of the Office Test Registry key. Collect events related to Registry key creation for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.[10]

.006 Add-ins

Audit the Registry entries relevant for enabling add-ins.[11][12]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Monitor for newly constructed registry keys upon creation of new task. Deletion of values/keys in the registry may further indicate malicious activity.

Enterprise T1553 Subvert Trust Controls

Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [13]* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072

.004 Install Root Certificate

Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [13]* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072

Windows Registry: Windows Registry Key Deletion

Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)

Windows Registry: Windows Registry Key Deletion

Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)

Domain ID Name Detects
Enterprise T1562 Impair Defenses

Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

.001 Disable or Modify Tools

Monitor for deletion of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Microsoft\AMSI\Providers.

Enterprise T1070 Indicator Removal

Monitor windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.009 Clear Persistence

Monitor windows registry keys that may be deleted or alter generated artifacts associated with persistence on a host system.

ICS T0872 Indicator Removal on Host

Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see Indicator Removal and applicable sub-techniques.

Enterprise T1112 Modify Registry

Monitor for unexpected deletion of windows registry keys to hide configuration information, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Windows Registry: Windows Registry Key Modification

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Windows Registry: Windows Registry Key Modification

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Domain ID Name Detects
Enterprise T1548 Abuse Elevation Control Mechanism

There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.

.002 Bypass User Account Control

Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.[14]* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.[15][16]Analysts should monitor these Registry settings for unauthorized changes.

Enterprise T1557 Adversary-in-the-Middle

Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.

.001 LLMNR/NBT-NS Poisoning and SMB Relay

Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.

ICS T0830 Adversary-in-the-Middle

Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.

Enterprise T1547 Boot or Logon Autostart Execution

Monitor for modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.

.001 Registry Run Keys / Startup Folder

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. [4]

.002 Authentication Package

Monitor the Registry for changes to the LSA Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. [17] [18]

.003 Time Providers

Monitor for changes made to windows registry keys and/or values modifying W32Time information in the Registry.

.004 Winlogon Helper DLL

Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. [4]

.005 Security Support Provider

Monitor the Registry for changes to the SSP Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. [17] [18]

.010 Port Monitors

Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism [4]

.012 Print Processors

Monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver as they pertain to print processor installations.

.014 Active Setup

Monitor Registry key modifications to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.[4] Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Enterprise T1543 Create or Modify System Process

Monitor for changes to windows registry keys and/or values that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

.003 Windows Service

Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.[4]

Enterprise T1074 Data Staged

Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

.001 Local Data Staging

Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

Enterprise T1546 Event Triggered Execution

Monitor for changes made to windows registry keys and/or values that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

.001 Change Default File Association

Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. User file association preferences are stored under [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys.

.002 Screensaver

Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry.

.007 Netsh Helper DLL

Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. [19]

.008 Accessibility Features

Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.

.009 AppCert DLLs

Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc.

.010 AppInit DLLs

Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc.

.011 Application Shimming

Monitor for changes to windows registry keys and/or values that may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.

.012 Image File Execution Options Injection

Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc.

.015 Component Object Model Hijacking

There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: Reg) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\Software\Classes\CLSID\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.[20] Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated.

Enterprise T1564 Hide Artifacts

Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection.

.002 Hidden Users

Monitor for changes made to windows registry key or values for unexpected modifications of the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList key.

.005 Hidden File System

Monitor for changes made to windows registry keys and/or values that may use a hidden file system to conceal malicious activity from users and security tools.

.006 Run Virtual Instance

Monitor for changes made to Windows Registry keys and/or values that may be the result of using a virtual instance to avoid detection. For example, if virtualization software is installed by the adversary the Registry may provide detection opportunities.

Enterprise T1574 Hijack Execution Flow

Monitor for changes made to windows registry keys and/or values that may execute their own malicious payloads by hijacking the way operating systems run programs.

.007 Path Interception by PATH Environment Variable

Monitor for modifications of PATH environment variable Registry keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path. An adversary can add a new directory or list of directories before other locations where programs can be executed from.

.011 Services Registry Permissions Weakness

Monitor for modification of Registry keys and values used by services such as HKLM\SYSTEM\CurrentControlSet\Services that may allow adversaries to launch their own code when a service starts.

.012 COR_PROFILER

For detecting system and user scope abuse of the COR_PROFILER variable, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools.

Enterprise T1562 Impair Defenses

Monitor Registry edits for modifications to services and startup programs that correspond to security tools.

.001 Disable or Modify Tools

Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender.

.004 Disable or Modify System Firewall

Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.

.006 Indicator Blocking

To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME{PROVIDER_GUID}

.009 Safe Mode Boot

Monitor modifications to Registry data associated with enabling safe mode. For example, a service can be forced to start on safe mode boot by adding a * in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{Path}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.[6][7]

Enterprise T1070 Indicator Removal

Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.007 Clear Network Connection History and Configurations

Monitor for changes to Registry keys (ex: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default) and associated values that may be malicious attempts to conceal adversary network connection history.

.009 Clear Persistence

Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts associated with persistence on a host system.

ICS T0872 Indicator Removal on Host

Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see Indicator Removal and applicable sub-techniques.

Enterprise T1490 Inhibit System Recovery

Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).

Enterprise T1056 Input Capture

Monitor for changes made to windows registry keys or values for unexpected modifications

.001 Keylogging

Monitor for changes made to windows registry keys or values for unexpected modifications

Enterprise T1556 Modify Authentication Process

Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference.

.002 Password Filter DLL

Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference.

Enterprise T1112 Modify Registry

Monitor for changes made to windows registry keys or values. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). [21] Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.

Enterprise T1111 Multi-Factor Authentication Interception

Monitor for changes to windows registry keys or values that may target multi-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources.

Enterprise T1137 Office Application Startup

Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.[8][9]

.001 Office Template Macros

Collect events related to Registry key modification for keys that could be used for Office-based persistence.[8][9]

.002 Office Test

Monitor for changes made to the Office Test Registry key. Collect events related to Registry key modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.[10]

.006 Add-ins

Audit the Registry entries relevant for enabling add-ins.[11][12]

Enterprise T1505 .005 Server Software Component: Terminal Services DLL

Monitor for changes to Registry keys associated with ServiceDll and other subkey values under HKLM\System\CurrentControlSet\services\TermService\Parameters\.

Enterprise T1489 Service Stop

Monitor for changes made to windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.

ICS T0881 Service Stop

Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.

ICS T0856 Spoof Reporting Message

Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see LLMNR/NBT-NS Poisoning and SMB Relay.

Enterprise T1553 Subvert Trust Controls

Monitoring changes to the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [13] Also consider enabling the Registry Global Object Access Auditing [22] setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:[23]

.003 SIP and Trust Provider Hijacking

Enable the Registry Global Object Access Auditing [22] setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:[23]* HKLM\SOFTWARE\Microsoft\Cryptography\OID* HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID* HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust* HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust

Note: As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using Regsvr32.[24]

Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.[24]

.004 Install Root Certificate

Monitoring changes to the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [13]* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072

.006 Code Signing Policy Modification

Consider monitoring for modifications made to Registry keys associated with code signing policies, such as HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing. Modifications to the code signing policy of a system are likely to be rare.

Enterprise T1218 System Binary Proxy Execution

Monitor for changes made to Windows Registry keys and/or values that may forge credential materials that can be used to gain access to web applications or Internet services.

.002 Control Panel

Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace and HKEY_CLASSES_ROOT\CLSID{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. [25]* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:\windows\system32\control.exe {Canonical_Name}", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).[25]* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item.[25]

Enterprise T1569 System Services

Monitor for changes made to windows registry keys and/or values that may abuse system services or daemons to execute commands or programs.

.002 Service Execution

Monitor for changes made to windows registry keys and/or values that may abuse the Windows service control manager to execute malicious commands or payloads.

References