Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Modify Registry

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. [1] Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. [1]hide NOV 2006 Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. [2] [3]

The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. [4] Often Valid Accounts are required, along with access to the remote system's Windows Admin Shares for RPC communication.

ID: T1112

Tactic: Defense Evasion

Platform:  Windows

Permissions Required:  User, Administrator, SYSTEM

Data Sources:  Windows Registry, File monitoring, Process monitoring, Process command-line parameters, Windows event logs

Defense Bypassed:  Host forensic analysis

Contributors:  Bartosz Jerzman, Travis Smith, Tripwire, David Lu, Tripwire

Version: 1.0

Examples

NameDescription
ADVSTORESHELL

ADVSTORESHELL is capable of setting and deleting Registry values.[5]

APT19

APT19 uses a Port 22 malware variant to modify several Registry keys.[6]

BACKSPACE

BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.[7]

BADCALL

BADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\List.[8]

Bankshot

Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.[9]

Catchamas

Catchamas creates three Registry keys to establish persistence by adding a New Service.[10]

CHOPSTICK

CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.[11]

Dragonfly 2.0

Dragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg.[12]

FELIXROOT

FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.[13]

FIN8

FIN8 has deleted Registry keys during post compromise cleanup activities.[14]

Gorgon Group

Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.[15]

Honeybee

Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.[16]

Hydraq

Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.[17][18]

InvisiMole

InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.[19]

KEYMARBLE

KEYMARBLE has a command to create Registry entries for storing data under HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath.[20]

Mosquito

Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname] and modifies Registry keys under HKCR\CLSID...\InprocServer32with a path to the launcher.[21]

Naid

Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk.[22]

Nerex

Nerex creates a Registry subkey that registers a new service.[23]

Patchwork

A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.[24]

PHOREAL

PHOREAL is capable of manipulating the Registry.[25]

PLAINTEE

PLAINTEE uses reg add to add a Registry Run key for persistence.[26]

PoisonIvy

PoisonIvy creates a Registry subkey that registers a new system device.[27]

QUADAGENT

QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.[28]

QuasarRAT

QuasarRAT has a command to edit the Registry on the victim’s machine.[29]

Reg

Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.[1]

Regin

Regin appears to have functionality to modify remote Registry information.[30]

Rover

Rover has functionality to remove Registry Run key persistence as a cleanup procedure.[31]

RTM

RTM can delete all Registry entries created during its execution.[32]

Shamoon

Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.[33][34]

SOUNDBITE

SOUNDBITE is capable of modifying the Registry.[25]

StreamEx

StreamEx has the ability to modify the Registry.[35]

SynAck

SynAck can manipulate Registry keys.[36]

Threat Group-3390

A Threat Group-3390 tool can create a new Registry key under HKEY_CURRENT_USER\Software\Classes\.[37]

TYPEFRAME

TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.[38]

Volgmer

Volgmer stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentContorlSet\Control\WMI\Security.[39][40]

Mitigation

Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through Service Registry Permissions Weakness. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting [41] tools like AppLocker [42] [43] or Software Restriction Policies [44] where appropriate. [45]

Detection

Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). [46] Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.

Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. [47] Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns [3] and RegDelNull [48].

References

  1. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  2. Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.
  3. Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.
  4. Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.
  5. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  6. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  7. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  8. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  9. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  10. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  11. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  12. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  13. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  14. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  15. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  16. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  17. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  18. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  19. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  20. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  21. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  22. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  23. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
  24. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  1. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  2. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  3. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  4. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  5. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  6. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  7. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  8. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  9. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  10. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  11. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  12. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  13. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  14. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  15. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  16. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  17. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  18. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  19. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  20. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  21. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  22. Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.
  23. Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.
  24. Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.