M1024 Restrict Registry Permissions
Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:
Review and Adjust Permissions on Critical Keys
- Regularly review permissions on keys such as
Run,RunOnce, andServicesto ensure only authorized users have write access. - Use tools like
icaclsorPowerShellto automate permission adjustments.
Enable Registry Auditing
- Enable auditing on sensitive keys to log access attempts.
- Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity.
- Example Audit Policy:
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
Protect Credential-Related Hives
- Limit access to hives like
SAM,SECURITY, andSYSTEMto prevent credential dumping or other unauthorized access. - Use LSA Protection to add an additional security layer for credential storage.
Restrict Registry Editor Usage
- Use Group Policy to restrict access to regedit.exe for non-administrative users.
- Block execution of registry editing tools on endpoints where they are unnecessary.
Deploy Baseline Configuration Tools
- Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.
Tools for Implementation
Registry Permission Tools:
- Registry Editor (regedit): Built-in tool to manage registry permissions.
- PowerShell: Automate permissions and manage keys.
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value" - icacls: Command-line tool to modify ACLs.
Monitoring Tools:
- Sysmon: Monitor and log registry events.
- Event Viewer: View registry access logs.
Policy Management Tools:
- Group Policy Management Console (GPMC): Enforce registry permissions via GPOs.
- Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.
| Item | Value |
|---|---|
| ID | M1024 |
| Version | 1.2 |
| Created | 06 June 2019 |
| Last Modified | 24 December 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.003 | Time Providers | Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry. 1 |
| enterprise | T1037 | Boot or Logon Initialization Scripts | Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. |
| enterprise | T1037.001 | Logon Script (Windows) | Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. |
| enterprise | T1574 | Hijack Execution Flow | Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
| enterprise | T1574.011 | Services Registry Permissions Weakness | Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
| enterprise | T1574.012 | COR_PROFILER | Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER. |
| enterprise | T1562 | Impair Defenses | Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
| enterprise | T1562.001 | Disable or Modify Tools | Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services. |
| enterprise | T1562.002 | Disable Windows Event Logging | Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.3 |
| enterprise | T1562.004 | Disable or Modify System Firewall | Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.007 | Clear Network Connection History and Configurations | Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| enterprise | T1556 | Modify Authentication Process | Restrict Registry permissions to disallow the modification of sensitive Registry keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. |
| enterprise | T1556.008 | Network Provider DLL | Restrict Registry permissions to disallow the modification of sensitive Registry keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. |
| enterprise | T1112 | Modify Registry | Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
| enterprise | T1505 | Server Software Component | Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.2 |
| enterprise | T1505.005 | Terminal Services DLL | Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.2 |
| enterprise | T1489 | Service Stop | Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
| enterprise | T1553 | Subvert Trust Controls | Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented. |
| enterprise | T1553.003 | SIP and Trust Provider Hijacking | Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented. |
| enterprise | T1553.006 | Code Signing Policy Modification | Ensure proper permissions are set for the Registry to prevent users from modifying keys related to code signing policies. |
References
-
Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018. ↩
-
Microsoft. (2018, February 17). Windows System Services Fundamentals. Retrieved March 28, 2022. ↩↩
-
Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021. ↩