Behavior chain involving abnormal registry modifications via CLI, PowerShell, WMI, or direct API calls, especially targeting persistence, privilege escalation, or defense evasion keys, potentially followed by service restart or process execution. Such as editing Notify/Userinit/Startup keys, or disabling SafeDllSearchMode.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13, 14 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| RegistryKeyPathPatterns | Environment-specific list of monitored or critical registry keys, e.g., Run, Services, Security Settings, LSASS |
| ParentProcessAllowList | Allowlist of legitimate registry tools (e.g., regedit.exe, msiexec.exe); used to filter known safe writes |
| TimeWindow | Correlate registry change with nearby process/service execution within a defined timeframe |
| SignatureCheck | Flag unsigned executables or abnormal parent-child lineage performing registry modification |