Skip to content

DS0024 Windows Registry

A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations1

Item Value
ID DS0024
Platforms Windows
Collection Layers Host
Version 1.0
Created 20 October 2021
Last Modified 11 May 2022

Data Components

Windows Registry Key Access

Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)

Domain ID Name
enterprise T1652 Device Driver Discovery
enterprise T1003 OS Credential Dumping
enterprise T1003.002 Security Account Manager
enterprise T1003.004 LSA Secrets
enterprise T1012 Query Registry
enterprise T1649 Steal or Forge Authentication Certificates
enterprise T1614 System Location Discovery
enterprise T1614.001 System Language Discovery
enterprise T1033 System Owner/User Discovery
enterprise T1552 Unsecured Credentials
enterprise T1552.002 Credentials in Registry

Windows Registry Key Creation

Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)

Domain ID Name
enterprise T1547 Boot or Logon Autostart Execution
enterprise T1547.001 Registry Run Keys / Startup Folder
enterprise T1547.014 Active Setup
enterprise T1037 Boot or Logon Initialization Scripts
enterprise T1037.001 Logon Script (Windows)
enterprise T1176 Browser Extensions
enterprise T1543 Create or Modify System Process
enterprise T1543.003 Windows Service
enterprise T1562 Impair Defenses
enterprise T1562.002 Disable Windows Event Logging
enterprise T1562.009 Safe Mode Boot
enterprise T1556 Modify Authentication Process
enterprise T1556.008 Network Provider DLL
enterprise T1112 Modify Registry
enterprise T1027 Obfuscated Files or Information
enterprise T1027.011 Fileless Storage
enterprise T1137 Office Application Startup
enterprise T1137.001 Office Template Macros
enterprise T1137.002 Office Test
enterprise T1137.006 Add-ins
enterprise T1053 Scheduled Task/Job
enterprise T1053.005 Scheduled Task
enterprise T1553 Subvert Trust Controls
enterprise T1553.004 Install Root Certificate

Windows Registry Key Deletion

Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)

Domain ID Name
enterprise T1562 Impair Defenses
enterprise T1562.001 Disable or Modify Tools
enterprise T1070 Indicator Removal
enterprise T1070.009 Clear Persistence
ics T0872 Indicator Removal on Host
enterprise T1112 Modify Registry

Windows Registry Key Modification

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Domain ID Name
enterprise T1548 Abuse Elevation Control Mechanism
enterprise T1548.002 Bypass User Account Control
enterprise T1557 Adversary-in-the-Middle
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
ics T0830 Adversary-in-the-Middle
enterprise T1547 Boot or Logon Autostart Execution
enterprise T1547.001 Registry Run Keys / Startup Folder
enterprise T1547.002 Authentication Package
enterprise T1547.003 Time Providers
enterprise T1547.004 Winlogon Helper DLL
enterprise T1547.005 Security Support Provider
enterprise T1547.010 Port Monitors
enterprise T1547.012 Print Processors
enterprise T1547.014 Active Setup
enterprise T1543 Create or Modify System Process
enterprise T1543.003 Windows Service
enterprise T1074 Data Staged
enterprise T1074.001 Local Data Staging
enterprise T1546 Event Triggered Execution
enterprise T1546.001 Change Default File Association
enterprise T1546.002 Screensaver
enterprise T1546.007 Netsh Helper DLL
enterprise T1546.008 Accessibility Features
enterprise T1546.009 AppCert DLLs
enterprise T1546.010 AppInit DLLs
enterprise T1546.011 Application Shimming
enterprise T1546.012 Image File Execution Options Injection
enterprise T1546.015 Component Object Model Hijacking
enterprise T1564 Hide Artifacts
enterprise T1564.002 Hidden Users
enterprise T1564.005 Hidden File System
enterprise T1564.006 Run Virtual Instance
enterprise T1574 Hijack Execution Flow
enterprise T1574.007 Path Interception by PATH Environment Variable
enterprise T1574.011 Services Registry Permissions Weakness
enterprise T1574.012 COR_PROFILER
enterprise T1562 Impair Defenses
enterprise T1562.001 Disable or Modify Tools
enterprise T1562.004 Disable or Modify System Firewall
enterprise T1562.006 Indicator Blocking
enterprise T1562.009 Safe Mode Boot
enterprise T1070 Indicator Removal
enterprise T1070.007 Clear Network Connection History and Configurations
enterprise T1070.009 Clear Persistence
ics T0872 Indicator Removal on Host
enterprise T1490 Inhibit System Recovery
enterprise T1056 Input Capture
enterprise T1056.001 Keylogging
enterprise T1556 Modify Authentication Process
enterprise T1556.002 Password Filter DLL
enterprise T1556.008 Network Provider DLL
enterprise T1112 Modify Registry
enterprise T1111 Multi-Factor Authentication Interception
enterprise T1137 Office Application Startup
enterprise T1137.001 Office Template Macros
enterprise T1137.002 Office Test
enterprise T1137.006 Add-ins
enterprise T1505 Server Software Component
enterprise T1505.005 Terminal Services DLL
enterprise T1489 Service Stop
ics T0881 Service Stop
ics T0856 Spoof Reporting Message
enterprise T1553 Subvert Trust Controls
enterprise T1553.003 SIP and Trust Provider Hijacking
enterprise T1553.004 Install Root Certificate
enterprise T1553.006 Code Signing Policy Modification
enterprise T1218 System Binary Proxy Execution
enterprise T1218.002 Control Panel
enterprise T1569 System Services
enterprise T1569.002 Service Execution

References

  1. Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021. 

  2. Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018. 

  3. Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018. 

  4. Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. 

  5. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  6. Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. 

  7. Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017. 

  8. Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015. 

  9. M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018. 

  10. Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021. 

  11. Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021. 

  12. Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017. 

  13. Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019. 

  14. Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. 

  15. Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019. 

  16. Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017. 

  17. Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018. 

  18. Nelson, M. (2016, August 15). “Fileless” UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016. 

  19. Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017. 

  20. Nelson, M. (2017, March 17). “Fileless” UAC Bypass Using sdclt.exe. Retrieved May 25, 2017. 

  21. Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016. 

  22. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017. 

  23. Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021. 

  24. Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022. 

  25. Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023. 

  26. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. 

  27. Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.