Which SIEM platforms have a T1112 detection rule?

df00tech provides T1112 (Modify Registry) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1112 detection?

The T1112 detection is rated high severity with medium confidence.

What are common false positives for T1112?

Common false positives for T1112 include: Software installation and update processes legitimately modify Run keys and service registry entries — filter by known installer parent processes (msiexec.exe, setup.exe with code-signed paths); Group Policy application (gpsvc, gpscript.exe) modifies Defender and Office macro policy keys during scheduled policy refreshes; System administrators using reg.exe or PowerShell to apply configuration baselines as part of hardening scripts.

T1112

Modify Registry

Q: What data sources are required to detect Modify Registry (T1112)?

Detecting Modify Registry requires the following data sources: Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint, Process: Process Creation.

Defense Evasion Persistence Last updated: April 18, 2026

Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities.

What is T1112 Modify Registry?

Modify Registry (T1112) maps to the Defense Evasion and Persistence tactics — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Modify Registry, covering the data sources and telemetry it touches: Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint, Process: Process Creation. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion Persistence
Technique: T1112 Modify Registry
Canonical reference: https://attack.mitre.org/techniques/T1112/

Microsoft Sentinel / Defender

kusto

let SuspiciousPersistenceKeys = dynamic([
  "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
  "\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
  "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
  "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
  "\\SYSTEM\\CurrentControlSet\\Services",
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
]);
let DefenseEvasionKeys = dynamic([
  "\\SYSTEM\\CurrentControlSet\\Control\\Lsa",
  "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
  "\\SOFTWARE\\Microsoft\\Windows Defender",
  "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
  "\\SOFTWARE\\Microsoft\\Office",
  "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"
]);
let SuspiciousProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "wmic.exe",
  "certutil.exe", "bitsadmin.exe", "installutil.exe", "reg.exe"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (SuspiciousPersistenceKeys) or RegistryKey has_any (DefenseEvasionKeys)
| extend IsSuspiciousProcess = InitiatingProcessFileName in~ (SuspiciousProcesses)
| extend IsPersistenceKey = RegistryKey has_any (SuspiciousPersistenceKeys)
| extend IsDefenseEvasionKey = RegistryKey has_any (DefenseEvasionKeys)
| extend IsWDigestEnable = RegistryKey has "Lsa" and RegistryValueName =~ "UseLogonCredential" and RegistryValueData == "1"
| extend IsDefenderDisable = RegistryKey has "Windows Defender" and RegistryValueName =~ "DisableAntiSpyware" and RegistryValueData == "1"
| extend IsMacroEnable = RegistryKey has "\\Security" and RegistryValueName =~ "VBAWarnings" and RegistryValueData == "1"
| extend IsUACBypass = RegistryKey has "Policies\\System" and RegistryValueName =~ "EnableLUA" and RegistryValueData == "0"
| extend IsIFEO = RegistryKey has "Image File Execution Options" and RegistryValueName =~ "Debugger"
| extend IsWinlogonHijack = RegistryKey has "Winlogon" and RegistryValueName in~ ("Userinit", "Shell")
| project Timestamp, DeviceName, AccountName, ActionType,
         RegistryKey, RegistryValueName, RegistryValueData,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
         IsPersistenceKey, IsDefenseEvasionKey, IsSuspiciousProcess,
         IsWDigestEnable, IsDefenderDisable, IsMacroEnable, IsUACBypass, IsIFEO, IsWinlogonHijack
| sort by Timestamp desc

Detects suspicious Windows Registry modifications using Microsoft Defender for Endpoint DeviceRegistryEvents. Covers key attack patterns: persistence via Run keys, Winlogon hijacking, and IFEO debugger injection; defense evasion via WDigest credential caching enablement, Windows Defender disabling, UAC bypass, and Office macro policy changes. Flags modifications initiated by common LOLBins and scripting interpreters. Each row is annotated with boolean flags identifying the specific attack pattern for analyst triage.

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint Process: Process Creation

Required Tables

DeviceRegistryEvents

False Positives

Software installation and update processes legitimately modify Run keys and service registry entries — filter by known installer parent processes (msiexec.exe, setup.exe with code-signed paths)
Group Policy application (gpsvc, gpscript.exe) modifies Defender and Office macro policy keys during scheduled policy refreshes
System administrators using reg.exe or PowerShell to apply configuration baselines as part of hardening scripts
Endpoint management agents (SCCM, Intune, Tanium) that configure system settings via registry modifications during software deployment
Antivirus and EDR products that legitimately modify Windows Defender registry keys during updates or configuration changes

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13 OR EventCode=14))
OR (sourcetype="WinEventLog:Security" EventCode=4657)
| eval RegistryPath=coalesce(TargetObject, ObjectName)
| eval ValueName=coalesce(Details, ObjectValueName)
| eval ProcessName=coalesce(Image, ProcessName)
| eval UserName=coalesce(User, SubjectUserName)
| eval IsPersistenceKey=if(match(RegistryPath, "(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|Winlogon|\\Services\\|Image File Execution Options)"), 1, 0)
| eval IsDefenseEvasionKey=if(match(RegistryPath, "(?i)(Lsa|Windows Defender|Policies\\\\System|\\\\Office\\|ZoneMap)"), 1, 0)
| eval IsWDigestEnable=if(match(RegistryPath, "(?i)Lsa") AND match(ValueName, "(?i)UseLogonCredential"), 1, 0)
| eval IsDefenderDisable=if(match(RegistryPath, "(?i)Windows Defender") AND match(ValueName, "(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|DisableAntiVirus)"), 1, 0)
| eval IsMacroEnable=if(match(RegistryPath, "(?i)\\\\Security") AND match(ValueName, "(?i)VBAWarnings"), 1, 0)
| eval IsUACBypass=if(match(RegistryPath, "(?i)Policies\\\\System") AND match(ValueName, "(?i)(EnableLUA|ConsentPromptBehaviorAdmin)"), 1, 0)
| eval IsIFEO=if(match(RegistryPath, "(?i)Image File Execution Options") AND match(ValueName, "(?i)Debugger"), 1, 0)
| eval IsWinlogonHijack=if(match(RegistryPath, "(?i)Winlogon") AND match(ValueName, "(?i)(Userinit|Shell)"), 1, 0)
| eval IsSuspiciousProcess=if(match(ProcessName, "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|reg\.exe)"), 1, 0)
| eval RiskScore=IsPersistenceKey + IsDefenseEvasionKey + IsWDigestEnable*3 + IsDefenderDisable*3 + IsMacroEnable + IsUACBypass*2 + IsIFEO*2 + IsWinlogonHijack*3 + IsSuspiciousProcess
| where (IsPersistenceKey=1 OR IsDefenseEvasionKey=1) AND RiskScore > 0
| table _time, host, UserName, ProcessName, EventCode, RegistryPath, ValueName,
        IsPersistenceKey, IsDefenseEvasionKey, IsWDigestEnable, IsDefenderDisable,
        IsMacroEnable, IsUACBypass, IsIFEO, IsWinlogonHijack, IsSuspiciousProcess, RiskScore
| sort - RiskScore, - _time

Detects suspicious registry modifications using Sysmon Event IDs 12 (Registry key create/delete), 13 (Registry value set), and 14 (Registry key/value rename), supplemented by Security Event ID 4657 (registry value modified, requires SACL auditing). Evaluates modifications against known persistence and defense evasion registry paths, assigning weighted risk scores. High-risk patterns (WDigest enablement, Defender disablement, Winlogon hijacking) carry elevated scores. Results sorted by risk score to surface highest-priority events first.

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Modification Sysmon Event ID 12 (Registry Object Create/Delete) Sysmon Event ID 13 (Registry Value Set) Sysmon Event ID 14 (Registry Key/Value Rename) Windows Security Event ID 4657

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software installation and update processes legitimately modify Run keys and service registry entries — filter by known installer parent processes (msiexec.exe, setup.exe with code-signed paths)
Group Policy application modifies Defender and Office macro policy keys during scheduled policy refreshes (gpscript.exe parent)
Endpoint management agents (SCCM, Intune) that configure system settings via registry modifications during software deployment
Legitimate security hardening scripts executed by IT administrators using reg.exe or PowerShell to apply CIS benchmarks

Elastic Security (EQL)

eql

sequence by host.name, process.entity_id with maxspan=5m
  [registry where event.type in ("creation", "change") and
   (
     registry.path : (
       "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*",
       "*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce*",
       "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*",
       "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce*",
       "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*",
       "*\\SYSTEM\\CurrentControlSet\\Services\\*",
       "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*",
       "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*",
       "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender*",
       "*\\SOFTWARE\\Microsoft\\Windows Defender*",
       "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*",
       "*\\SOFTWARE\\Microsoft\\Office*",
       "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap*"
     )
   ) and
   process.name : (
     "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
     "mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "wmic.exe",
     "certutil.exe", "bitsadmin.exe", "installutil.exe", "reg.exe"
   )
  ]

// Alternate single-event query for broader coverage:
// registry where event.type in ("creation", "change") and
// registry.path : ("*CurrentVersion\\Run*", "*Winlogon*", "*Lsa*", "*Windows Defender*", "*Image File Execution Options*", "*Policies\\System*", "*\\Services\\*", "*\\Office\\*", "*ZoneMap*")

Detects suspicious Windows Registry modifications targeting persistence keys (Run/RunOnce, Winlogon, Services, IFEO) and defense evasion keys (LSA WDigest, Windows Defender disable, Office macro enable, UAC bypass) initiated by commonly abused processes such as PowerShell, cmd.exe, reg.exe, and LOLBins.

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.registry-* winlogbeat-*

False Positives

Software installers and updaters legitimately write to Run keys and service registry paths during installation or updates.
Group Policy processing (gpupdate) and system management tools may modify Windows Defender and security policy registry keys as part of authorized configuration management.
Administrative scripts and configuration management tools (Ansible, Chef, Puppet) may use PowerShell or cmd.exe to write registry values during infrastructure provisioning.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Process Name" AS process_name,
  "Object Name" AS registry_path,
  "Object Value Name" AS value_name,
  "New Value" AS value_data,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  sourceip,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*CURRENTVERSION\\RUN.*|.*CURRENTVERSION\\RUNONCE.*|.*WINLOGON.*|.*\\SERVICES\\.*|.*IMAGE FILE EXECUTION OPTIONS.*' THEN 1
    ELSE 0
  END AS is_persistence_key,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*\\LSA.*|.*WINDOWS DEFENDER.*|.*POLICIES\\SYSTEM.*|.*\\OFFICE\\.*|.*ZONEMAP.*' THEN 1
    ELSE 0
  END AS is_defense_evasion_key,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*\\LSA.*' AND UPPER("Object Value Name") MATCHES '.*USELOGONCREDENTIAL.*' THEN 1
    ELSE 0
  END AS is_wdigest_enable,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*WINDOWS DEFENDER.*' AND UPPER("Object Value Name") MATCHES '.*DISABLEANTISPY.*|.*DISABLEREALTIMEMON.*|.*DISABLEANTIVIRUS.*' THEN 1
    ELSE 0
  END AS is_defender_disable,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*POLICIES\\SYSTEM.*' AND UPPER("Object Value Name") MATCHES '.*ENABLELUA.*|.*CONSENTPROMPTBEHAVIORADMIN.*' THEN 1
    ELSE 0
  END AS is_uac_bypass,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*IMAGE FILE EXECUTION OPTIONS.*' AND UPPER("Object Value Name") MATCHES '.*DEBUGGER.*' THEN 1
    ELSE 0
  END AS is_ifeo,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*WINLOGON.*' AND UPPER("Object Value Name") MATCHES '.*USERINIT.*|.*SHELL.*' THEN 1
    ELSE 0
  END AS is_winlogon_hijack,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|reg\.exe).*' THEN 1
    ELSE 0
  END AS is_suspicious_process
FROM events
WHERE
  LOGSOURCETYPEID IN (
    SELECT id FROM log_source_types WHERE name ILIKE '%windows%' OR name ILIKE '%sysmon%' OR name ILIKE '%microsoft%'
  )
  AND (deviceEventId = '4657' OR deviceEventId IN ('12','13','14'))
  AND LAST 24 HOURS
  AND (
    UPPER("Object Name") MATCHES '.*CURRENTVERSION\\RUN.*|.*CURRENTVERSION\\RUNONCE.*|.*WINLOGON.*|.*\\SERVICES\\.*|.*IMAGE FILE EXECUTION OPTIONS.*|.*\\LSA.*|.*WINDOWS DEFENDER.*|.*POLICIES\\SYSTEM.*|.*\\OFFICE\\.*|.*ZONEMAP.*'
  )
ORDER BY event_time DESC

Detects Windows Registry modifications to persistence and defense evasion keys via QRadar AQL by querying Windows Security Event 4657 (registry value modification) and Sysmon events 12/13/14. Classifies events by key type, specific high-risk value changes (WDigest, Defender disable, UAC bypass, IFEO, Winlogon hijack), and suspicious initiating processes.

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (Event ID 4657) Sysmon Event Log (Events 12, 13, 14) Microsoft Windows DSM

Required Tables

events

False Positives

Legitimate software deployment tools (SCCM, Intune, PDQ Deploy) modify Run keys and service entries during managed software installation.
Security software including AV and EDR products may write to Windows Defender policy keys when applying exclusions or configurations.
IT automation scripts run by administrators via PowerShell or cmd.exe will generate registry events that match these patterns during routine configuration tasks.

Sumo Logic CSE

sql

_sourceCategory="windows/*" ("EventCode=4657" OR "EventCode=12" OR "EventCode=13" OR "EventCode=14")
| parse "TargetObject=*" as registry_path nodrop
| parse "ObjectName=*" as object_name nodrop
| parse "Image=*" as sysmon_process nodrop
| parse "ProcessName=*" as sec_process_name nodrop
| parse "User=*" as sysmon_user nodrop
| parse "SubjectUserName=*" as sec_user nodrop
| parse "Details=*" as sysmon_value_data nodrop
| parse "ObjectValueName=*" as value_name nodrop
| if (!isNull(registry_path), registry_path, object_name) as registry_path
| if (!isNull(sysmon_process), sysmon_process, sec_process_name) as process_name
| if (!isNull(sysmon_user), sysmon_user, sec_user) as user_name
| where (
    registry_path matches "*CurrentVersion\\Run*"
    OR registry_path matches "*CurrentVersion\\RunOnce*"
    OR registry_path matches "*Winlogon*"
    OR registry_path matches "*\\Services\\*"
    OR registry_path matches "*Image File Execution Options*"
    OR registry_path matches "*\\Lsa*"
    OR registry_path matches "*Windows Defender*"
    OR registry_path matches "*Policies\\System*"
    OR registry_path matches "*\\Office\\*"
    OR registry_path matches "*ZoneMap*"
  )
| if (registry_path matches "*CurrentVersion\\Run*" OR registry_path matches "*Winlogon*" OR registry_path matches "*\\Services\\*" OR registry_path matches "*Image File Execution Options*", 1, 0) as is_persistence_key
| if (registry_path matches "*\\Lsa*" OR registry_path matches "*Windows Defender*" OR registry_path matches "*Policies\\System*" OR registry_path matches "*\\Office\\*" OR registry_path matches "*ZoneMap*", 1, 0) as is_defense_evasion_key
| if (registry_path matches "*\\Lsa*" AND value_name matches "*UseLogonCredential*", 1, 0) as is_wdigest_enable
| if (registry_path matches "*Windows Defender*" AND (value_name matches "*DisableAntiSpyware*" OR value_name matches "*DisableRealtimeMonitoring*"), 1, 0) as is_defender_disable
| if (registry_path matches "*Policies\\System*" AND (value_name matches "*EnableLUA*" OR value_name matches "*ConsentPromptBehaviorAdmin*"), 1, 0) as is_uac_bypass
| if (registry_path matches "*Image File Execution Options*" AND value_name matches "*Debugger*", 1, 0) as is_ifeo
| if (registry_path matches "*Winlogon*" AND (value_name matches "*Userinit*" OR value_name matches "*Shell*"), 1, 0) as is_winlogon_hijack
| if (process_name matches "*powershell.exe*" OR process_name matches "*cmd.exe*" OR process_name matches "*wscript.exe*" OR process_name matches "*cscript.exe*" OR process_name matches "*mshta.exe*" OR process_name matches "*rundll32.exe*" OR process_name matches "*regsvr32.exe*" OR process_name matches "*reg.exe*" OR process_name matches "*wmic.exe*" OR process_name matches "*certutil.exe*", 1, 0) as is_suspicious_process
| (is_persistence_key + is_defense_evasion_key + (is_wdigest_enable * 3) + (is_defender_disable * 3) + is_uac_bypass * 2 + is_ifeo * 2 + is_winlogon_hijack * 3 + is_suspicious_process) as risk_score
| where risk_score > 0
| fields _messagetime, _sourceHost, user_name, process_name, registry_path, value_name, is_persistence_key, is_defense_evasion_key, is_wdigest_enable, is_defender_disable, is_uac_bypass, is_ifeo, is_winlogon_hijack, is_suspicious_process, risk_score
| sort by risk_score desc, _messagetime desc

Detects suspicious Windows Registry modifications targeting persistence and defense evasion keys using Sumo Logic CSE. Parses Windows Security Event 4657 and Sysmon registry events (12/13/14), classifies by key type and specific high-risk value changes, and calculates a weighted risk score to prioritize high-fidelity alerts.

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Log Collector Sysmon via Sumo Logic Windows collector

Required Tables

windows/security windows/sysmon

False Positives

Windows Update and Microsoft Update processes legitimately modify services registry keys and Windows Defender policy entries during patch cycles.
Enterprise endpoint management solutions (SCCM, Tanium, CrowdStrike) write to run keys and policy registry paths as part of normal agent operations.
Software development activity including IDE plugins and build systems may invoke msbuild.exe or PowerShell against registry keys during build or test workflows.

Google Chronicle / SecOps

yaral

rule t1112_modify_registry_suspicious {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious Windows Registry modifications to persistence and defense evasion keys initiated by commonly abused processes. Covers Run keys, Winlogon hijack, IFEO debugger, LSA WDigest enable, Windows Defender disable, UAC bypass, and Office macro enable."
    mitre_attack_tactic = "Defense Evasion, Persistence"
    mitre_attack_technique = "T1112"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1112/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|\\Winlogon|\\SYSTEM\\CurrentControlSet\\Services\\|Image File Execution Options|\\Control\\Lsa|Windows Defender|Policies\\System|\\Microsoft\\Office|ZoneMap)`) = true
    )
    re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|bitsadmin\.exe|installutil\.exe|reg\.exe)$`) = true

  match:
    $e.principal.hostname over 5m

  outcome:
    $host = $e.principal.hostname
    $user = $e.principal.user.userid
    $process = $e.principal.process.file.full_path
    $registry_key = $e.target.registry.registry_key
    $registry_value_name = $e.target.registry.registry_value_name
    $registry_value_data = $e.target.registry.registry_value_data
    $is_wdigest_enable = if(
      re.regex($e.target.registry.registry_key, `(?i)\\Lsa`) and
      re.regex($e.target.registry.registry_value_name, `(?i)UseLogonCredential`), 1, 0
    )
    $is_defender_disable = if(
      re.regex($e.target.registry.registry_key, `(?i)Windows Defender`) and
      re.regex($e.target.registry.registry_value_name, `(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|DisableAntiVirus)`), 1, 0
    )
    $is_uac_bypass = if(
      re.regex($e.target.registry.registry_key, `(?i)Policies\\System`) and
      re.regex($e.target.registry.registry_value_name, `(?i)(EnableLUA|ConsentPromptBehaviorAdmin)`), 1, 0
    )
    $is_ifeo = if(
      re.regex($e.target.registry.registry_key, `(?i)Image File Execution Options`) and
      re.regex($e.target.registry.registry_value_name, `(?i)Debugger`), 1, 0
    )
    $is_winlogon_hijack = if(
      re.regex($e.target.registry.registry_key, `(?i)Winlogon`) and
      re.regex($e.target.registry.registry_value_name, `(?i)(Userinit|Shell)`), 1, 0
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting suspicious Windows Registry modifications to persistence and defense evasion keys. Monitors REGISTRY_MODIFICATION events where the initiating process is a commonly abused LOLBin or scripting host, enriches events with specific high-risk modification classifications including WDigest enable, Defender disable, UAC bypass, IFEO debugger hijack, and Winlogon hijack.

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle forwarder Sysmon logs via Chronicle UDM ingestion Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM REGISTRY_MODIFICATION events

False Positives

Legitimate software installations and update processes that use reg.exe or PowerShell to configure persistence mechanisms or disable conflicting security software during setup.
System administrators using scripting tools to configure Windows Defender exclusions, UAC policies, or Winlogon settings as part of authorized hardening or configuration workflows.
Enterprise backup and recovery agents that modify service registry entries and security policy keys during deployment or DR testing activities.

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale (Falcon) - T1112 Registry Modification Detection
#event_simpleName = /^(RegSetValue|RegCreateKey|AsepValueUpdate|AsepKeyUpdate)$/
| TargetRegistryKey = /(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|\\Winlogon|\\SYSTEM\\CurrentControlSet\\Services\\|Image\s*File\s*Execution\s*Options|\\Control\\Lsa|Windows\s*Defender|Policies\\System|\\Microsoft\\Office|ZoneMap)/
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|bitsadmin\.exe|installutil\.exe|reg\.exe)$/
| is_persistence_key := if(
    TargetRegistryKey = /(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|Winlogon|\\SYSTEM\\CurrentControlSet\\Services\\|Image File Execution Options)/,
    "true", "false"
  )
| is_defense_evasion_key := if(
    TargetRegistryKey = /(?i)(\\Control\\Lsa|Windows Defender|Policies\\System|\\Microsoft\\Office|ZoneMap)/,
    "true", "false"
  )
| is_wdigest_enable := if(
    TargetRegistryKey = /(?i)\\Lsa/ AND TargetRegistryValueName = /(?i)UseLogonCredential/,
    "true", "false"
  )
| is_defender_disable := if(
    TargetRegistryKey = /(?i)Windows Defender/ AND TargetRegistryValueName = /(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|DisableAntiVirus)/,
    "true", "false"
  )
| is_uac_bypass := if(
    TargetRegistryKey = /(?i)Policies\\System/ AND TargetRegistryValueName = /(?i)(EnableLUA|ConsentPromptBehaviorAdmin)/,
    "true", "false"
  )
| is_ifeo := if(
    TargetRegistryKey = /(?i)Image File Execution Options/ AND TargetRegistryValueName = /(?i)Debugger/,
    "true", "false"
  )
| is_winlogon_hijack := if(
    TargetRegistryKey = /(?i)Winlogon/ AND TargetRegistryValueName = /(?i)(Userinit|Shell)/,
    "true", "false"
  )
| risk_score := 0
| risk_score := risk_score + if(is_persistence_key = "true", 1, 0)
| risk_score := risk_score + if(is_defense_evasion_key = "true", 1, 0)
| risk_score := risk_score + if(is_wdigest_enable = "true", 3, 0)
| risk_score := risk_score + if(is_defender_disable = "true", 3, 0)
| risk_score := risk_score + if(is_uac_bypass = "true", 2, 0)
| risk_score := risk_score + if(is_ifeo = "true", 2, 0)
| risk_score := risk_score + if(is_winlogon_hijack = "true", 3, 0)
| select(
    [timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     TargetRegistryKey, TargetRegistryValueName, TargetRegistryValueData,
     is_persistence_key, is_defense_evasion_key, is_wdigest_enable,
     is_defender_disable, is_uac_bypass, is_ifeo, is_winlogon_hijack, risk_score]
  )
| sort(field=risk_score, order=desc)

Detects suspicious Windows Registry modifications in CrowdStrike Falcon via LogScale CQL. Queries RegSetValue, RegCreateKey, AsepValueUpdate, and AsepKeyUpdate events targeting persistence and defense evasion registry paths initiated by known LOLBins and scripting hosts. Calculates a weighted risk score and classifies specific high-severity modifications including WDigest credential caching enable, Defender disable, IFEO debugger hijack, Winlogon shell replacement, and UAC bypass.

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon telemetry: RegSetValue, RegCreateKey, AsepValueUpdate, AsepKeyUpdate events

Required Tables

Falcon event stream (RegSetValue, RegCreateKey, AsepValueUpdate, AsepKeyUpdate)

False Positives

CrowdStrike Falcon sensor itself and other EDR/AV products generate registry events when writing exclusions, configuration, and protection state to Windows Defender and LSA-adjacent keys.
Managed deployment tooling using PowerShell (e.g., Intune remediation scripts, SCCM task sequences) generates high-volume registry events to Run keys and service paths that are part of authorized software lifecycle management.
Developer workstations running build automation (msbuild.exe) or test harnesses may trigger IFEO and run key events as part of debugging or instrumentation workflows.

Sigma rule & cross-platform mapping

The detection logic for Modify Registry (T1112) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1112 Sigma rules on detection.fyi

Platform-specific guides for T1112

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (11)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Add Persistence via Run Key using reg.exe
Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Set): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech_test, Details=C:\Windows\System32\cmd.exe /c echo persistence_test, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 1 (Process Create): Image=reg.exe with CommandLine showing add and Run key path. Security Event ID 4657 if SACL auditing is configured on the Run key.
Test 2Enable WDigest Plaintext Credential Caching
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\UseLogonCredential, Details=DWORD (0x00000001), Image=C:\Windows\System32\reg.exe. Security Event ID 4657 (if SACL configured on LSA key): OldValue=0 or empty, NewValue=1. Process creation event for reg.exe with the full command line visible.
Test 3Disable Windows Defender via Registry
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, Details=DWORD (0x00000001). If Tamper Protection is active: Windows Defender Event ID 5001 (Real-time protection disabled) or Event ID 5013 (Tamper protection blocked change) in Microsoft-Windows-Windows Defender/Operational log. Process creation: reg.exe with DisableAntiSpyware in command line.
Test 4IFEO Debugger Injection for Sticky Keys Backdoor
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe, Image=reg.exe. Sysmon Event ID 1 for reg.exe with full command line. If the backdoor is triggered: Sysmon Event ID 1 showing sethc.exe spawning cmd.exe from the winlogon.exe parent context.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1112 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Modify Registry

What is T1112 Modify Registry?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1112

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1112 Modify Registry?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1112

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox