Skip to content

M1024 Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.

Item Value
ID M1024
Version 1.1
Created 06 June 2019
Last Modified 31 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.003 Time Providers Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry. 3
enterprise T1037 Boot or Logon Initialization Scripts Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
enterprise T1037.001 Logon Script (Windows) Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
enterprise T1574 Hijack Execution Flow Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
enterprise T1574.011 Services Registry Permissions Weakness Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
enterprise T1574.012 COR_PROFILER Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER.
enterprise T1562 Impair Defenses Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
enterprise T1562.001 Disable or Modify Tools Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.
enterprise T1562.002 Disable Windows Event Logging Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.1
enterprise T1562.004 Disable or Modify System Firewall Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.
enterprise T1070 Indicator Removal -
enterprise T1070.007 Clear Network Connection History and Configurations Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
enterprise T1556 Modify Authentication Process Restrict Registry permissions to disallow the modification of sensitive Registry keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.
enterprise T1556.008 Network Provider DLL Restrict Registry permissions to disallow the modification of sensitive Registry keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.
enterprise T1112 Modify Registry Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
enterprise T1505 Server Software Component Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.2
enterprise T1505.005 Terminal Services DLL Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.2
enterprise T1489 Service Stop Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.
enterprise T1553 Subvert Trust Controls Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.
enterprise T1553.003 SIP and Trust Provider Hijacking Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.
enterprise T1553.006 Code Signing Policy Modification Ensure proper permissions are set for the Registry to prevent users from modifying keys related to code signing policies.

References