The sub-techniques beta is now live! Read the release blog post for more info.

Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.

ID: M1024
Version: 1.0
Created: 06 June 2019
Last Modified: 06 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1112 Modify Registry

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Enterprise T1058 Service Registry Permissions Weakness

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Enterprise T1489 Service Stop

Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.

Enterprise T1198 SIP and Trust Provider Hijacking

Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.

Enterprise T1209 Time Providers

Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry.[1]

References