Which SIEM platforms have a T1112 detection rule?

df00tech provides T1112 (Modify Registry) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Modify Registry (T1112)?

Detecting Modify Registry requires the following data sources: Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint, Process: Process Creation.

What severity and confidence is the T1112 detection?

The T1112 detection is rated high severity with medium confidence.

What are common false positives for T1112?

Common false positives for T1112 include: Software installation and update processes legitimately modify Run keys and service registry entries — filter by known installer parent processes (msiexec.exe, setup.exe with code-signed paths); Group Policy application (gpsvc, gpscript.exe) modifies Defender and Office macro policy keys during scheduled policy refreshes; System administrators using reg.exe or PowerShell to apply configuration baselines as part of hardening scripts.

T1112 Elastic Security · Elastic

Detect Modify Registry in Elastic Security

Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities.

MITRE ATT&CK

Tactic: Defense Evasion Persistence
Technique: T1112 Modify Registry
Canonical reference: https://attack.mitre.org/techniques/T1112/

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by host.name, process.entity_id with maxspan=5m
  [registry where event.type in ("creation", "change") and
   (
     registry.path : (
       "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*",
       "*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce*",
       "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*",
       "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce*",
       "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*",
       "*\\SYSTEM\\CurrentControlSet\\Services\\*",
       "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*",
       "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*",
       "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender*",
       "*\\SOFTWARE\\Microsoft\\Windows Defender*",
       "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*",
       "*\\SOFTWARE\\Microsoft\\Office*",
       "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap*"
     )
   ) and
   process.name : (
     "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
     "mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "wmic.exe",
     "certutil.exe", "bitsadmin.exe", "installutil.exe", "reg.exe"
   )
  ]

// Alternate single-event query for broader coverage:
// registry where event.type in ("creation", "change") and
// registry.path : ("*CurrentVersion\\Run*", "*Winlogon*", "*Lsa*", "*Windows Defender*", "*Image File Execution Options*", "*Policies\\System*", "*\\Services\\*", "*\\Office\\*", "*ZoneMap*")

high severity high confidence

Detects suspicious Windows Registry modifications targeting persistence keys (Run/RunOnce, Winlogon, Services, IFEO) and defense evasion keys (LSA WDigest, Windows Defender disable, Office macro enable, UAC bypass) initiated by commonly abused processes such as PowerShell, cmd.exe, reg.exe, and LOLBins.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.registry-*winlogbeat-*

False Positives & Tuning

Software installers and updaters legitimately write to Run keys and service registry paths during installation or updates.
Group Policy processing (gpupdate) and system management tools may modify Windows Defender and security policy registry keys as part of authorized configuration management.
Administrative scripts and configuration management tools (Ansible, Chef, Puppet) may use PowerShell or cmd.exe to write registry values during infrastructure provisioning.

Download portable Sigma rule (.yml)

Other platforms for T1112

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Add Persistence via Run Key using reg.exe
Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Set): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech_test, Details=C:\Windows\System32\cmd.exe /c echo persistence_test, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 1 (Process Create): Image=reg.exe with CommandLine showing add and Run key path. Security Event ID 4657 if SACL auditing is configured on the Run key.
Test 2Enable WDigest Plaintext Credential Caching
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\UseLogonCredential, Details=DWORD (0x00000001), Image=C:\Windows\System32\reg.exe. Security Event ID 4657 (if SACL configured on LSA key): OldValue=0 or empty, NewValue=1. Process creation event for reg.exe with the full command line visible.
Test 3Disable Windows Defender via Registry
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, Details=DWORD (0x00000001). If Tamper Protection is active: Windows Defender Event ID 5001 (Real-time protection disabled) or Event ID 5013 (Tamper protection blocked change) in Microsoft-Windows-Windows Defender/Operational log. Process creation: reg.exe with DisableAntiSpyware in command line.
Test 4IFEO Debugger Injection for Sticky Keys Backdoor
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe, Image=reg.exe. Sysmon Event ID 1 for reg.exe with full command line. If the backdoor is triggered: Sysmon Event ID 1 showing sethc.exe spawning cmd.exe from the winlogon.exe parent context.

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1112 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1547.001Registry Run Keys / Startup Folder T1562.001Disable or Modify Tools T1003.001LSASS Memory T1546.008Accessibility Features T1548.002Bypass User Account Control T1027.011Fileless Storage T1543.003Windows Service T1059.001PowerShell T1021.002SMB/Windows Admin Shares

Detect Modify Registry in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1112

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1112

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox