Detect Modify Registry in Google Chronicle
Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1112 Modify Registry
- Canonical reference
- https://attack.mitre.org/techniques/T1112/
YARA-L Detection Query
rule t1112_modify_registry_suspicious {
meta:
author = "Argus Detection Engineering"
description = "Detects suspicious Windows Registry modifications to persistence and defense evasion keys initiated by commonly abused processes. Covers Run keys, Winlogon hijack, IFEO debugger, LSA WDigest enable, Windows Defender disable, UAC bypass, and Office macro enable."
mitre_attack_tactic = "Defense Evasion, Persistence"
mitre_attack_technique = "T1112"
mitre_attack_url = "https://attack.mitre.org/techniques/T1112/"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "REGISTRY_MODIFICATION"
(
re.regex($e.target.registry.registry_key, `(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|\\Winlogon|\\SYSTEM\\CurrentControlSet\\Services\\|Image File Execution Options|\\Control\\Lsa|Windows Defender|Policies\\System|\\Microsoft\\Office|ZoneMap)`) = true
)
re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|bitsadmin\.exe|installutil\.exe|reg\.exe)$`) = true
match:
$e.principal.hostname over 5m
outcome:
$host = $e.principal.hostname
$user = $e.principal.user.userid
$process = $e.principal.process.file.full_path
$registry_key = $e.target.registry.registry_key
$registry_value_name = $e.target.registry.registry_value_name
$registry_value_data = $e.target.registry.registry_value_data
$is_wdigest_enable = if(
re.regex($e.target.registry.registry_key, `(?i)\\Lsa`) and
re.regex($e.target.registry.registry_value_name, `(?i)UseLogonCredential`), 1, 0
)
$is_defender_disable = if(
re.regex($e.target.registry.registry_key, `(?i)Windows Defender`) and
re.regex($e.target.registry.registry_value_name, `(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|DisableAntiVirus)`), 1, 0
)
$is_uac_bypass = if(
re.regex($e.target.registry.registry_key, `(?i)Policies\\System`) and
re.regex($e.target.registry.registry_value_name, `(?i)(EnableLUA|ConsentPromptBehaviorAdmin)`), 1, 0
)
$is_ifeo = if(
re.regex($e.target.registry.registry_key, `(?i)Image File Execution Options`) and
re.regex($e.target.registry.registry_value_name, `(?i)Debugger`), 1, 0
)
$is_winlogon_hijack = if(
re.regex($e.target.registry.registry_key, `(?i)Winlogon`) and
re.regex($e.target.registry.registry_value_name, `(?i)(Userinit|Shell)`), 1, 0
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting suspicious Windows Registry modifications to persistence and defense evasion keys. Monitors REGISTRY_MODIFICATION events where the initiating process is a commonly abused LOLBin or scripting host, enriches events with specific high-risk modification classifications including WDigest enable, Defender disable, UAC bypass, IFEO debugger hijack, and Winlogon hijack.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installations and update processes that use reg.exe or PowerShell to configure persistence mechanisms or disable conflicting security software during setup.
- System administrators using scripting tools to configure Windows Defender exclusions, UAC policies, or Winlogon settings as part of authorized hardening or configuration workflows.
- Enterprise backup and recovery agents that modify service registry entries and security policy keys during deployment or DR testing activities.
Other platforms for T1112
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Persistence via Run Key using reg.exe
Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Set): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech_test, Details=C:\Windows\System32\cmd.exe /c echo persistence_test, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 1 (Process Create): Image=reg.exe with CommandLine showing add and Run key path. Security Event ID 4657 if SACL auditing is configured on the Run key.
- Test 2Enable WDigest Plaintext Credential Caching
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\UseLogonCredential, Details=DWORD (0x00000001), Image=C:\Windows\System32\reg.exe. Security Event ID 4657 (if SACL configured on LSA key): OldValue=0 or empty, NewValue=1. Process creation event for reg.exe with the full command line visible.
- Test 3Disable Windows Defender via Registry
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, Details=DWORD (0x00000001). If Tamper Protection is active: Windows Defender Event ID 5001 (Real-time protection disabled) or Event ID 5013 (Tamper protection blocked change) in Microsoft-Windows-Windows Defender/Operational log. Process creation: reg.exe with DisableAntiSpyware in command line.
- Test 4IFEO Debugger Injection for Sticky Keys Backdoor
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe, Image=reg.exe. Sysmon Event ID 1 for reg.exe with full command line. If the backdoor is triggered: Sysmon Event ID 1 showing sethc.exe spawning cmd.exe from the winlogon.exe parent context.
References (12)
- https://attack.mitre.org/techniques/T1112/
- https://learn.microsoft.com/en-us/sysinternals/downloads/reghide
- https://learn.microsoft.com/en-us/sysinternals/downloads/regdelnull
- https://technet.microsoft.com/en-us/library/cc732643.aspx
- https://technet.microsoft.com/en-us/library/cc754820.aspx
- https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657
- https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
- https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
Unlock Pro Content
Get the full detection package for T1112 including response playbook, investigation guide, and atomic red team tests.