T1112

Modify Registry

Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities.

Microsoft Sentinel / Defender

kusto

let SuspiciousPersistenceKeys = dynamic([
  "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
  "\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
  "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
  "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
  "\\SYSTEM\\CurrentControlSet\\Services",
  "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
]);
let DefenseEvasionKeys = dynamic([
  "\\SYSTEM\\CurrentControlSet\\Control\\Lsa",
  "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
  "\\SOFTWARE\\Microsoft\\Windows Defender",
  "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
  "\\SOFTWARE\\Microsoft\\Office",
  "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"
]);
let SuspiciousProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "wmic.exe",
  "certutil.exe", "bitsadmin.exe", "installutil.exe", "reg.exe"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (SuspiciousPersistenceKeys) or RegistryKey has_any (DefenseEvasionKeys)
| extend IsSuspiciousProcess = InitiatingProcessFileName in~ (SuspiciousProcesses)
| extend IsPersistenceKey = RegistryKey has_any (SuspiciousPersistenceKeys)
| extend IsDefenseEvasionKey = RegistryKey has_any (DefenseEvasionKeys)
| extend IsWDigestEnable = RegistryKey has "Lsa" and RegistryValueName =~ "UseLogonCredential" and RegistryValueData == "1"
| extend IsDefenderDisable = RegistryKey has "Windows Defender" and RegistryValueName =~ "DisableAntiSpyware" and RegistryValueData == "1"
| extend IsMacroEnable = RegistryKey has "\\Security" and RegistryValueName =~ "VBAWarnings" and RegistryValueData == "1"
| extend IsUACBypass = RegistryKey has "Policies\\System" and RegistryValueName =~ "EnableLUA" and RegistryValueData == "0"
| extend IsIFEO = RegistryKey has "Image File Execution Options" and RegistryValueName =~ "Debugger"
| extend IsWinlogonHijack = RegistryKey has "Winlogon" and RegistryValueName in~ ("Userinit", "Shell")
| project Timestamp, DeviceName, AccountName, ActionType,
         RegistryKey, RegistryValueName, RegistryValueData,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
         IsPersistenceKey, IsDefenseEvasionKey, IsSuspiciousProcess,
         IsWDigestEnable, IsDefenderDisable, IsMacroEnable, IsUACBypass, IsIFEO, IsWinlogonHijack
| sort by Timestamp desc

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint Process: Process Creation

Required Tables

DeviceRegistryEvents

False Positives

Software installation and update processes legitimately modify Run keys and service registry entries — filter by known installer parent processes (msiexec.exe, setup.exe with code-signed paths)
Group Policy application (gpsvc, gpscript.exe) modifies Defender and Office macro policy keys during scheduled policy refreshes
System administrators using reg.exe or PowerShell to apply configuration baselines as part of hardening scripts
Endpoint management agents (SCCM, Intune, Tanium) that configure system settings via registry modifications during software deployment
Antivirus and EDR products that legitimately modify Windows Defender registry keys during updates or configuration changes

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13 OR EventCode=14))
OR (sourcetype="WinEventLog:Security" EventCode=4657)
| eval RegistryPath=coalesce(TargetObject, ObjectName)
| eval ValueName=coalesce(Details, ObjectValueName)
| eval ProcessName=coalesce(Image, ProcessName)
| eval UserName=coalesce(User, SubjectUserName)
| eval IsPersistenceKey=if(match(RegistryPath, "(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|Winlogon|\\Services\\|Image File Execution Options)"), 1, 0)
| eval IsDefenseEvasionKey=if(match(RegistryPath, "(?i)(Lsa|Windows Defender|Policies\\\\System|\\\\Office\\|ZoneMap)"), 1, 0)
| eval IsWDigestEnable=if(match(RegistryPath, "(?i)Lsa") AND match(ValueName, "(?i)UseLogonCredential"), 1, 0)
| eval IsDefenderDisable=if(match(RegistryPath, "(?i)Windows Defender") AND match(ValueName, "(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|DisableAntiVirus)"), 1, 0)
| eval IsMacroEnable=if(match(RegistryPath, "(?i)\\\\Security") AND match(ValueName, "(?i)VBAWarnings"), 1, 0)
| eval IsUACBypass=if(match(RegistryPath, "(?i)Policies\\\\System") AND match(ValueName, "(?i)(EnableLUA|ConsentPromptBehaviorAdmin)"), 1, 0)
| eval IsIFEO=if(match(RegistryPath, "(?i)Image File Execution Options") AND match(ValueName, "(?i)Debugger"), 1, 0)
| eval IsWinlogonHijack=if(match(RegistryPath, "(?i)Winlogon") AND match(ValueName, "(?i)(Userinit|Shell)"), 1, 0)
| eval IsSuspiciousProcess=if(match(ProcessName, "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|reg\.exe)"), 1, 0)
| eval RiskScore=IsPersistenceKey + IsDefenseEvasionKey + IsWDigestEnable*3 + IsDefenderDisable*3 + IsMacroEnable + IsUACBypass*2 + IsIFEO*2 + IsWinlogonHijack*3 + IsSuspiciousProcess
| where (IsPersistenceKey=1 OR IsDefenseEvasionKey=1) AND RiskScore > 0
| table _time, host, UserName, ProcessName, EventCode, RegistryPath, ValueName,
        IsPersistenceKey, IsDefenseEvasionKey, IsWDigestEnable, IsDefenderDisable,
        IsMacroEnable, IsUACBypass, IsIFEO, IsWinlogonHijack, IsSuspiciousProcess, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Modification Sysmon Event ID 12 (Registry Object Create/Delete) Sysmon Event ID 13 (Registry Value Set) Sysmon Event ID 14 (Registry Key/Value Rename) Windows Security Event ID 4657

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software installation and update processes legitimately modify Run keys and service registry entries — filter by known installer parent processes (msiexec.exe, setup.exe with code-signed paths)
Group Policy application modifies Defender and Office macro policy keys during scheduled policy refreshes (gpscript.exe parent)
Endpoint management agents (SCCM, Intune) that configure system settings via registry modifications during software deployment
Legitimate security hardening scripts executed by IT administrators using reg.exe or PowerShell to apply CIS benchmarks

Elastic Security (EQL)

eql

sequence by host.name, process.entity_id with maxspan=5m
  [registry where event.type in ("creation", "change") and
   (
     registry.path : (
       "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*",
       "*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce*",
       "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*",
       "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce*",
       "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*",
       "*\\SYSTEM\\CurrentControlSet\\Services\\*",
       "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*",
       "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*",
       "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender*",
       "*\\SOFTWARE\\Microsoft\\Windows Defender*",
       "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*",
       "*\\SOFTWARE\\Microsoft\\Office*",
       "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap*"
     )
   ) and
   process.name : (
     "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
     "mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "wmic.exe",
     "certutil.exe", "bitsadmin.exe", "installutil.exe", "reg.exe"
   )
  ]

// Alternate single-event query for broader coverage:
// registry where event.type in ("creation", "change") and
// registry.path : ("*CurrentVersion\\Run*", "*Winlogon*", "*Lsa*", "*Windows Defender*", "*Image File Execution Options*", "*Policies\\System*", "*\\Services\\*", "*\\Office\\*", "*ZoneMap*")

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.registry-* winlogbeat-*

False Positives

Software installers and updaters legitimately write to Run keys and service registry paths during installation or updates.
Group Policy processing (gpupdate) and system management tools may modify Windows Defender and security policy registry keys as part of authorized configuration management.
Administrative scripts and configuration management tools (Ansible, Chef, Puppet) may use PowerShell or cmd.exe to write registry values during infrastructure provisioning.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Process Name" AS process_name,
  "Object Name" AS registry_path,
  "Object Value Name" AS value_name,
  "New Value" AS value_data,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  sourceip,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*CURRENTVERSION\\RUN.*|.*CURRENTVERSION\\RUNONCE.*|.*WINLOGON.*|.*\\SERVICES\\.*|.*IMAGE FILE EXECUTION OPTIONS.*' THEN 1
    ELSE 0
  END AS is_persistence_key,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*\\LSA.*|.*WINDOWS DEFENDER.*|.*POLICIES\\SYSTEM.*|.*\\OFFICE\\.*|.*ZONEMAP.*' THEN 1
    ELSE 0
  END AS is_defense_evasion_key,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*\\LSA.*' AND UPPER("Object Value Name") MATCHES '.*USELOGONCREDENTIAL.*' THEN 1
    ELSE 0
  END AS is_wdigest_enable,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*WINDOWS DEFENDER.*' AND UPPER("Object Value Name") MATCHES '.*DISABLEANTISPY.*|.*DISABLEREALTIMEMON.*|.*DISABLEANTIVIRUS.*' THEN 1
    ELSE 0
  END AS is_defender_disable,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*POLICIES\\SYSTEM.*' AND UPPER("Object Value Name") MATCHES '.*ENABLELUA.*|.*CONSENTPROMPTBEHAVIORADMIN.*' THEN 1
    ELSE 0
  END AS is_uac_bypass,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*IMAGE FILE EXECUTION OPTIONS.*' AND UPPER("Object Value Name") MATCHES '.*DEBUGGER.*' THEN 1
    ELSE 0
  END AS is_ifeo,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*WINLOGON.*' AND UPPER("Object Value Name") MATCHES '.*USERINIT.*|.*SHELL.*' THEN 1
    ELSE 0
  END AS is_winlogon_hijack,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|reg\.exe).*' THEN 1
    ELSE 0
  END AS is_suspicious_process
FROM events
WHERE
  LOGSOURCETYPEID IN (
    SELECT id FROM log_source_types WHERE name ILIKE '%windows%' OR name ILIKE '%sysmon%' OR name ILIKE '%microsoft%'
  )
  AND (deviceEventId = '4657' OR deviceEventId IN ('12','13','14'))
  AND LAST 24 HOURS
  AND (
    UPPER("Object Name") MATCHES '.*CURRENTVERSION\\RUN.*|.*CURRENTVERSION\\RUNONCE.*|.*WINLOGON.*|.*\\SERVICES\\.*|.*IMAGE FILE EXECUTION OPTIONS.*|.*\\LSA.*|.*WINDOWS DEFENDER.*|.*POLICIES\\SYSTEM.*|.*\\OFFICE\\.*|.*ZONEMAP.*'
  )
ORDER BY event_time DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (Event ID 4657) Sysmon Event Log (Events 12, 13, 14) Microsoft Windows DSM

Required Tables

events

False Positives

Legitimate software deployment tools (SCCM, Intune, PDQ Deploy) modify Run keys and service entries during managed software installation.
Security software including AV and EDR products may write to Windows Defender policy keys when applying exclusions or configurations.
IT automation scripts run by administrators via PowerShell or cmd.exe will generate registry events that match these patterns during routine configuration tasks.

Sumo Logic CSE

sql

_sourceCategory="windows/*" ("EventCode=4657" OR "EventCode=12" OR "EventCode=13" OR "EventCode=14")
| parse "TargetObject=*" as registry_path nodrop
| parse "ObjectName=*" as object_name nodrop
| parse "Image=*" as sysmon_process nodrop
| parse "ProcessName=*" as sec_process_name nodrop
| parse "User=*" as sysmon_user nodrop
| parse "SubjectUserName=*" as sec_user nodrop
| parse "Details=*" as sysmon_value_data nodrop
| parse "ObjectValueName=*" as value_name nodrop
| if (!isNull(registry_path), registry_path, object_name) as registry_path
| if (!isNull(sysmon_process), sysmon_process, sec_process_name) as process_name
| if (!isNull(sysmon_user), sysmon_user, sec_user) as user_name
| where (
    registry_path matches "*CurrentVersion\\Run*"
    OR registry_path matches "*CurrentVersion\\RunOnce*"
    OR registry_path matches "*Winlogon*"
    OR registry_path matches "*\\Services\\*"
    OR registry_path matches "*Image File Execution Options*"
    OR registry_path matches "*\\Lsa*"
    OR registry_path matches "*Windows Defender*"
    OR registry_path matches "*Policies\\System*"
    OR registry_path matches "*\\Office\\*"
    OR registry_path matches "*ZoneMap*"
  )
| if (registry_path matches "*CurrentVersion\\Run*" OR registry_path matches "*Winlogon*" OR registry_path matches "*\\Services\\*" OR registry_path matches "*Image File Execution Options*", 1, 0) as is_persistence_key
| if (registry_path matches "*\\Lsa*" OR registry_path matches "*Windows Defender*" OR registry_path matches "*Policies\\System*" OR registry_path matches "*\\Office\\*" OR registry_path matches "*ZoneMap*", 1, 0) as is_defense_evasion_key
| if (registry_path matches "*\\Lsa*" AND value_name matches "*UseLogonCredential*", 1, 0) as is_wdigest_enable
| if (registry_path matches "*Windows Defender*" AND (value_name matches "*DisableAntiSpyware*" OR value_name matches "*DisableRealtimeMonitoring*"), 1, 0) as is_defender_disable
| if (registry_path matches "*Policies\\System*" AND (value_name matches "*EnableLUA*" OR value_name matches "*ConsentPromptBehaviorAdmin*"), 1, 0) as is_uac_bypass
| if (registry_path matches "*Image File Execution Options*" AND value_name matches "*Debugger*", 1, 0) as is_ifeo
| if (registry_path matches "*Winlogon*" AND (value_name matches "*Userinit*" OR value_name matches "*Shell*"), 1, 0) as is_winlogon_hijack
| if (process_name matches "*powershell.exe*" OR process_name matches "*cmd.exe*" OR process_name matches "*wscript.exe*" OR process_name matches "*cscript.exe*" OR process_name matches "*mshta.exe*" OR process_name matches "*rundll32.exe*" OR process_name matches "*regsvr32.exe*" OR process_name matches "*reg.exe*" OR process_name matches "*wmic.exe*" OR process_name matches "*certutil.exe*", 1, 0) as is_suspicious_process
| (is_persistence_key + is_defense_evasion_key + (is_wdigest_enable * 3) + (is_defender_disable * 3) + is_uac_bypass * 2 + is_ifeo * 2 + is_winlogon_hijack * 3 + is_suspicious_process) as risk_score
| where risk_score > 0
| fields _messagetime, _sourceHost, user_name, process_name, registry_path, value_name, is_persistence_key, is_defense_evasion_key, is_wdigest_enable, is_defender_disable, is_uac_bypass, is_ifeo, is_winlogon_hijack, is_suspicious_process, risk_score
| sort by risk_score desc, _messagetime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Log Collector Sysmon via Sumo Logic Windows collector

Required Tables

windows/security windows/sysmon

False Positives

Windows Update and Microsoft Update processes legitimately modify services registry keys and Windows Defender policy entries during patch cycles.
Enterprise endpoint management solutions (SCCM, Tanium, CrowdStrike) write to run keys and policy registry paths as part of normal agent operations.
Software development activity including IDE plugins and build systems may invoke msbuild.exe or PowerShell against registry keys during build or test workflows.

Google Chronicle / SecOps

yaral

rule t1112_modify_registry_suspicious {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious Windows Registry modifications to persistence and defense evasion keys initiated by commonly abused processes. Covers Run keys, Winlogon hijack, IFEO debugger, LSA WDigest enable, Windows Defender disable, UAC bypass, and Office macro enable."
    mitre_attack_tactic = "Defense Evasion, Persistence"
    mitre_attack_technique = "T1112"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1112/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|\\Winlogon|\\SYSTEM\\CurrentControlSet\\Services\\|Image File Execution Options|\\Control\\Lsa|Windows Defender|Policies\\System|\\Microsoft\\Office|ZoneMap)`) = true
    )
    re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|bitsadmin\.exe|installutil\.exe|reg\.exe)$`) = true

  match:
    $e.principal.hostname over 5m

  outcome:
    $host = $e.principal.hostname
    $user = $e.principal.user.userid
    $process = $e.principal.process.file.full_path
    $registry_key = $e.target.registry.registry_key
    $registry_value_name = $e.target.registry.registry_value_name
    $registry_value_data = $e.target.registry.registry_value_data
    $is_wdigest_enable = if(
      re.regex($e.target.registry.registry_key, `(?i)\\Lsa`) and
      re.regex($e.target.registry.registry_value_name, `(?i)UseLogonCredential`), 1, 0
    )
    $is_defender_disable = if(
      re.regex($e.target.registry.registry_key, `(?i)Windows Defender`) and
      re.regex($e.target.registry.registry_value_name, `(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|DisableAntiVirus)`), 1, 0
    )
    $is_uac_bypass = if(
      re.regex($e.target.registry.registry_key, `(?i)Policies\\System`) and
      re.regex($e.target.registry.registry_value_name, `(?i)(EnableLUA|ConsentPromptBehaviorAdmin)`), 1, 0
    )
    $is_ifeo = if(
      re.regex($e.target.registry.registry_key, `(?i)Image File Execution Options`) and
      re.regex($e.target.registry.registry_value_name, `(?i)Debugger`), 1, 0
    )
    $is_winlogon_hijack = if(
      re.regex($e.target.registry.registry_key, `(?i)Winlogon`) and
      re.regex($e.target.registry.registry_value_name, `(?i)(Userinit|Shell)`), 1, 0
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle forwarder Sysmon logs via Chronicle UDM ingestion Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM REGISTRY_MODIFICATION events

False Positives

Legitimate software installations and update processes that use reg.exe or PowerShell to configure persistence mechanisms or disable conflicting security software during setup.
System administrators using scripting tools to configure Windows Defender exclusions, UAC policies, or Winlogon settings as part of authorized hardening or configuration workflows.
Enterprise backup and recovery agents that modify service registry entries and security policy keys during deployment or DR testing activities.

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale (Falcon) - T1112 Registry Modification Detection
#event_simpleName = /^(RegSetValue|RegCreateKey|AsepValueUpdate|AsepKeyUpdate)$/
| TargetRegistryKey = /(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|\\Winlogon|\\SYSTEM\\CurrentControlSet\\Services\\|Image\s*File\s*Execution\s*Options|\\Control\\Lsa|Windows\s*Defender|Policies\\System|\\Microsoft\\Office|ZoneMap)/
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|bitsadmin\.exe|installutil\.exe|reg\.exe)$/
| is_persistence_key := if(
    TargetRegistryKey = /(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|Winlogon|\\SYSTEM\\CurrentControlSet\\Services\\|Image File Execution Options)/,
    "true", "false"
  )
| is_defense_evasion_key := if(
    TargetRegistryKey = /(?i)(\\Control\\Lsa|Windows Defender|Policies\\System|\\Microsoft\\Office|ZoneMap)/,
    "true", "false"
  )
| is_wdigest_enable := if(
    TargetRegistryKey = /(?i)\\Lsa/ AND TargetRegistryValueName = /(?i)UseLogonCredential/,
    "true", "false"
  )
| is_defender_disable := if(
    TargetRegistryKey = /(?i)Windows Defender/ AND TargetRegistryValueName = /(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|DisableAntiVirus)/,
    "true", "false"
  )
| is_uac_bypass := if(
    TargetRegistryKey = /(?i)Policies\\System/ AND TargetRegistryValueName = /(?i)(EnableLUA|ConsentPromptBehaviorAdmin)/,
    "true", "false"
  )
| is_ifeo := if(
    TargetRegistryKey = /(?i)Image File Execution Options/ AND TargetRegistryValueName = /(?i)Debugger/,
    "true", "false"
  )
| is_winlogon_hijack := if(
    TargetRegistryKey = /(?i)Winlogon/ AND TargetRegistryValueName = /(?i)(Userinit|Shell)/,
    "true", "false"
  )
| risk_score := 0
| risk_score := risk_score + if(is_persistence_key = "true", 1, 0)
| risk_score := risk_score + if(is_defense_evasion_key = "true", 1, 0)
| risk_score := risk_score + if(is_wdigest_enable = "true", 3, 0)
| risk_score := risk_score + if(is_defender_disable = "true", 3, 0)
| risk_score := risk_score + if(is_uac_bypass = "true", 2, 0)
| risk_score := risk_score + if(is_ifeo = "true", 2, 0)
| risk_score := risk_score + if(is_winlogon_hijack = "true", 3, 0)
| select(
    [timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     TargetRegistryKey, TargetRegistryValueName, TargetRegistryValueData,
     is_persistence_key, is_defense_evasion_key, is_wdigest_enable,
     is_defender_disable, is_uac_bypass, is_ifeo, is_winlogon_hijack, risk_score]
  )
| sort(field=risk_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon telemetry: RegSetValue, RegCreateKey, AsepValueUpdate, AsepKeyUpdate events

Required Tables

Falcon event stream (RegSetValue, RegCreateKey, AsepValueUpdate, AsepKeyUpdate)

False Positives

CrowdStrike Falcon sensor itself and other EDR/AV products generate registry events when writing exclusions, configuration, and protection state to Windows Defender and LSA-adjacent keys.
Managed deployment tooling using PowerShell (e.g., Intune remediation scripts, SCCM task sequences) generates high-volume registry events to Run keys and service paths that are part of authorized software lifecycle management.
Developer workstations running build automation (msbuild.exe) or test harnesses may trigger IFEO and run key events as part of debugging or instrumentation workflows.

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1112 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Modify Registry

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections