Skip to content

DET0280 Behavior-Based Registry Modification Detection on Windows

Item Value
ID DET0280
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1112 (Modify Registry)

Analytics

Windows

AN0781

Behavior chain involving abnormal registry modifications via CLI, PowerShell, WMI, or direct API calls, especially targeting persistence, privilege escalation, or defense evasion keys, potentially followed by service restart or process execution. Such as editing Notify/Userinit/Startup keys, or disabling SafeDllSearchMode.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
RegistryKeyPathPatterns Environment-specific list of monitored or critical registry keys, e.g., Run, Services, Security Settings, LSASS
ParentProcessAllowList Allowlist of legitimate registry tools (e.g., regedit.exe, msiexec.exe); used to filter known safe writes
TimeWindow Correlate registry change with nearby process/service execution within a defined timeframe
SignatureCheck Flag unsigned executables or abnormal parent-child lineage performing registry modification