T1112 IBM QRadar · QRadar

Detect Modify Registry in IBM QRadar

Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities.

MITRE ATT&CK

Tactic
Defense Evasion Persistence
Technique
T1112 Modify Registry
Canonical reference
https://attack.mitre.org/techniques/T1112/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Process Name" AS process_name,
  "Object Name" AS registry_path,
  "Object Value Name" AS value_name,
  "New Value" AS value_data,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  sourceip,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*CURRENTVERSION\\RUN.*|.*CURRENTVERSION\\RUNONCE.*|.*WINLOGON.*|.*\\SERVICES\\.*|.*IMAGE FILE EXECUTION OPTIONS.*' THEN 1
    ELSE 0
  END AS is_persistence_key,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*\\LSA.*|.*WINDOWS DEFENDER.*|.*POLICIES\\SYSTEM.*|.*\\OFFICE\\.*|.*ZONEMAP.*' THEN 1
    ELSE 0
  END AS is_defense_evasion_key,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*\\LSA.*' AND UPPER("Object Value Name") MATCHES '.*USELOGONCREDENTIAL.*' THEN 1
    ELSE 0
  END AS is_wdigest_enable,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*WINDOWS DEFENDER.*' AND UPPER("Object Value Name") MATCHES '.*DISABLEANTISPY.*|.*DISABLEREALTIMEMON.*|.*DISABLEANTIVIRUS.*' THEN 1
    ELSE 0
  END AS is_defender_disable,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*POLICIES\\SYSTEM.*' AND UPPER("Object Value Name") MATCHES '.*ENABLELUA.*|.*CONSENTPROMPTBEHAVIORADMIN.*' THEN 1
    ELSE 0
  END AS is_uac_bypass,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*IMAGE FILE EXECUTION OPTIONS.*' AND UPPER("Object Value Name") MATCHES '.*DEBUGGER.*' THEN 1
    ELSE 0
  END AS is_ifeo,
  CASE
    WHEN UPPER("Object Name") MATCHES '.*WINLOGON.*' AND UPPER("Object Value Name") MATCHES '.*USERINIT.*|.*SHELL.*' THEN 1
    ELSE 0
  END AS is_winlogon_hijack,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|reg\.exe).*' THEN 1
    ELSE 0
  END AS is_suspicious_process
FROM events
WHERE
  LOGSOURCETYPEID IN (
    SELECT id FROM log_source_types WHERE name ILIKE '%windows%' OR name ILIKE '%sysmon%' OR name ILIKE '%microsoft%'
  )
  AND (deviceEventId = '4657' OR deviceEventId IN ('12','13','14'))
  AND LAST 24 HOURS
  AND (
    UPPER("Object Name") MATCHES '.*CURRENTVERSION\\RUN.*|.*CURRENTVERSION\\RUNONCE.*|.*WINLOGON.*|.*\\SERVICES\\.*|.*IMAGE FILE EXECUTION OPTIONS.*|.*\\LSA.*|.*WINDOWS DEFENDER.*|.*POLICIES\\SYSTEM.*|.*\\OFFICE\\.*|.*ZONEMAP.*'
  )
ORDER BY event_time DESC
high severity medium confidence

Detects Windows Registry modifications to persistence and defense evasion keys via QRadar AQL by querying Windows Security Event 4657 (registry value modification) and Sysmon events 12/13/14. Classifies events by key type, specific high-risk value changes (WDigest, Defender disable, UAC bypass, IFEO, Winlogon hijack), and suspicious initiating processes.

Data Sources

IBM QRadar SIEMWindows Security Event Log (Event ID 4657)Sysmon Event Log (Events 12, 13, 14)Microsoft Windows DSM

Required Tables

events

False Positives & Tuning

  • Legitimate software deployment tools (SCCM, Intune, PDQ Deploy) modify Run keys and service entries during managed software installation.
  • Security software including AV and EDR products may write to Windows Defender policy keys when applying exclusions or configurations.
  • IT automation scripts run by administrators via PowerShell or cmd.exe will generate registry events that match these patterns during routine configuration tasks.
Download portable Sigma rule (.yml)

Other platforms for T1112

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Persistence via Run Key using reg.exe

    Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Set): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech_test, Details=C:\Windows\System32\cmd.exe /c echo persistence_test, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 1 (Process Create): Image=reg.exe with CommandLine showing add and Run key path. Security Event ID 4657 if SACL auditing is configured on the Run key.

  2. Test 2Enable WDigest Plaintext Credential Caching

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\UseLogonCredential, Details=DWORD (0x00000001), Image=C:\Windows\System32\reg.exe. Security Event ID 4657 (if SACL configured on LSA key): OldValue=0 or empty, NewValue=1. Process creation event for reg.exe with the full command line visible.

  3. Test 3Disable Windows Defender via Registry

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, Details=DWORD (0x00000001). If Tamper Protection is active: Windows Defender Event ID 5001 (Real-time protection disabled) or Event ID 5013 (Tamper protection blocked change) in Microsoft-Windows-Windows Defender/Operational log. Process creation: reg.exe with DisableAntiSpyware in command line.

  4. Test 4IFEO Debugger Injection for Sticky Keys Backdoor

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe, Image=reg.exe. Sysmon Event ID 1 for reg.exe with full command line. If the backdoor is triggered: Sysmon Event ID 1 showing sethc.exe spawning cmd.exe from the winlogon.exe parent context.

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1112 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1547.001Registry Run Keys / Startup FolderT1562.001Disable or Modify ToolsT1003.001LSASS MemoryT1546.008Accessibility FeaturesT1548.002Bypass User Account ControlT1027.011Fileless StorageT1543.003Windows ServiceT1059.001PowerShellT1021.002SMB/Windows Admin Shares

Same Tactic: Defense Evasion

Popular Detections