Modify Registry

From ATT&CK
Jump to: navigation, search
Modify Registry
Technique
ID T1112
Tactic Defense Evasion
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Permissions Required User, Administrator, SYSTEM
Data Sources Windows Registry, File monitoring, Process monitoring, Process command-line parameters
Defense Bypassed Host forensic analysis

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification.1 Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).

The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system.2 Often Legitimate Credentials are required, along with access to the remote system's Windows Admin Shares for RPC communication.

Examples

  • Regin appears to have functionality to modify remote Registry information.3
  • CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.4
  • BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.5
  • Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.1
  • Rover has functionality to remove Registry Run key persistence as a cleanup procedure.6
  • Once Shamoon has access to a network share, it enables the remote Registry service on the target system and enables share access by setting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 0.7 It also modifies the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.8

Mitigation

Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting9 tools like AppLocker1011 or Software Restriction Policies12 where appropriate.13

Detection

Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.

Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

References