Detect Modify Registry in CrowdStrike LogScale
Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1112 Modify Registry
- Canonical reference
- https://attack.mitre.org/techniques/T1112/
LogScale Detection Query
// CrowdStrike LogScale (Falcon) - T1112 Registry Modification Detection
#event_simpleName = /^(RegSetValue|RegCreateKey|AsepValueUpdate|AsepKeyUpdate)$/
| TargetRegistryKey = /(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|\\Winlogon|\\SYSTEM\\CurrentControlSet\\Services\\|Image\s*File\s*Execution\s*Options|\\Control\\Lsa|Windows\s*Defender|Policies\\System|\\Microsoft\\Office|ZoneMap)/
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|bitsadmin\.exe|installutil\.exe|reg\.exe)$/
| is_persistence_key := if(
TargetRegistryKey = /(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|Winlogon|\\SYSTEM\\CurrentControlSet\\Services\\|Image File Execution Options)/,
"true", "false"
)
| is_defense_evasion_key := if(
TargetRegistryKey = /(?i)(\\Control\\Lsa|Windows Defender|Policies\\System|\\Microsoft\\Office|ZoneMap)/,
"true", "false"
)
| is_wdigest_enable := if(
TargetRegistryKey = /(?i)\\Lsa/ AND TargetRegistryValueName = /(?i)UseLogonCredential/,
"true", "false"
)
| is_defender_disable := if(
TargetRegistryKey = /(?i)Windows Defender/ AND TargetRegistryValueName = /(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|DisableAntiVirus)/,
"true", "false"
)
| is_uac_bypass := if(
TargetRegistryKey = /(?i)Policies\\System/ AND TargetRegistryValueName = /(?i)(EnableLUA|ConsentPromptBehaviorAdmin)/,
"true", "false"
)
| is_ifeo := if(
TargetRegistryKey = /(?i)Image File Execution Options/ AND TargetRegistryValueName = /(?i)Debugger/,
"true", "false"
)
| is_winlogon_hijack := if(
TargetRegistryKey = /(?i)Winlogon/ AND TargetRegistryValueName = /(?i)(Userinit|Shell)/,
"true", "false"
)
| risk_score := 0
| risk_score := risk_score + if(is_persistence_key = "true", 1, 0)
| risk_score := risk_score + if(is_defense_evasion_key = "true", 1, 0)
| risk_score := risk_score + if(is_wdigest_enable = "true", 3, 0)
| risk_score := risk_score + if(is_defender_disable = "true", 3, 0)
| risk_score := risk_score + if(is_uac_bypass = "true", 2, 0)
| risk_score := risk_score + if(is_ifeo = "true", 2, 0)
| risk_score := risk_score + if(is_winlogon_hijack = "true", 3, 0)
| select(
[timestamp, ComputerName, UserName, ImageFileName, CommandLine,
TargetRegistryKey, TargetRegistryValueName, TargetRegistryValueData,
is_persistence_key, is_defense_evasion_key, is_wdigest_enable,
is_defender_disable, is_uac_bypass, is_ifeo, is_winlogon_hijack, risk_score]
)
| sort(field=risk_score, order=desc)Detects suspicious Windows Registry modifications in CrowdStrike Falcon via LogScale CQL. Queries RegSetValue, RegCreateKey, AsepValueUpdate, and AsepKeyUpdate events targeting persistence and defense evasion registry paths initiated by known LOLBins and scripting hosts. Calculates a weighted risk score and classifies specific high-severity modifications including WDigest credential caching enable, Defender disable, IFEO debugger hijack, Winlogon shell replacement, and UAC bypass.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself and other EDR/AV products generate registry events when writing exclusions, configuration, and protection state to Windows Defender and LSA-adjacent keys.
- Managed deployment tooling using PowerShell (e.g., Intune remediation scripts, SCCM task sequences) generates high-volume registry events to Run keys and service paths that are part of authorized software lifecycle management.
- Developer workstations running build automation (msbuild.exe) or test harnesses may trigger IFEO and run key events as part of debugging or instrumentation workflows.
Other platforms for T1112
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Persistence via Run Key using reg.exe
Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Set): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech_test, Details=C:\Windows\System32\cmd.exe /c echo persistence_test, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 1 (Process Create): Image=reg.exe with CommandLine showing add and Run key path. Security Event ID 4657 if SACL auditing is configured on the Run key.
- Test 2Enable WDigest Plaintext Credential Caching
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\UseLogonCredential, Details=DWORD (0x00000001), Image=C:\Windows\System32\reg.exe. Security Event ID 4657 (if SACL configured on LSA key): OldValue=0 or empty, NewValue=1. Process creation event for reg.exe with the full command line visible.
- Test 3Disable Windows Defender via Registry
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, Details=DWORD (0x00000001). If Tamper Protection is active: Windows Defender Event ID 5001 (Real-time protection disabled) or Event ID 5013 (Tamper protection blocked change) in Microsoft-Windows-Windows Defender/Operational log. Process creation: reg.exe with DisableAntiSpyware in command line.
- Test 4IFEO Debugger Injection for Sticky Keys Backdoor
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe, Image=reg.exe. Sysmon Event ID 1 for reg.exe with full command line. If the backdoor is triggered: Sysmon Event ID 1 showing sethc.exe spawning cmd.exe from the winlogon.exe parent context.
References (12)
- https://attack.mitre.org/techniques/T1112/
- https://learn.microsoft.com/en-us/sysinternals/downloads/reghide
- https://learn.microsoft.com/en-us/sysinternals/downloads/regdelnull
- https://technet.microsoft.com/en-us/library/cc732643.aspx
- https://technet.microsoft.com/en-us/library/cc754820.aspx
- https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657
- https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
- https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
Unlock Pro Content
Get the full detection package for T1112 including response playbook, investigation guide, and atomic red team tests.