Detect Modify Registry in Microsoft Sentinel
Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1112 Modify Registry
- Canonical reference
- https://attack.mitre.org/techniques/T1112/
KQL Detection Query
let SuspiciousPersistenceKeys = dynamic([
"\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"\\SYSTEM\\CurrentControlSet\\Services",
"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
]);
let DefenseEvasionKeys = dynamic([
"\\SYSTEM\\CurrentControlSet\\Control\\Lsa",
"\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
"\\SOFTWARE\\Microsoft\\Windows Defender",
"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"\\SOFTWARE\\Microsoft\\Office",
"\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"
]);
let SuspiciousProcesses = dynamic([
"powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "wmic.exe",
"certutil.exe", "bitsadmin.exe", "installutil.exe", "reg.exe"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (SuspiciousPersistenceKeys) or RegistryKey has_any (DefenseEvasionKeys)
| extend IsSuspiciousProcess = InitiatingProcessFileName in~ (SuspiciousProcesses)
| extend IsPersistenceKey = RegistryKey has_any (SuspiciousPersistenceKeys)
| extend IsDefenseEvasionKey = RegistryKey has_any (DefenseEvasionKeys)
| extend IsWDigestEnable = RegistryKey has "Lsa" and RegistryValueName =~ "UseLogonCredential" and RegistryValueData == "1"
| extend IsDefenderDisable = RegistryKey has "Windows Defender" and RegistryValueName =~ "DisableAntiSpyware" and RegistryValueData == "1"
| extend IsMacroEnable = RegistryKey has "\\Security" and RegistryValueName =~ "VBAWarnings" and RegistryValueData == "1"
| extend IsUACBypass = RegistryKey has "Policies\\System" and RegistryValueName =~ "EnableLUA" and RegistryValueData == "0"
| extend IsIFEO = RegistryKey has "Image File Execution Options" and RegistryValueName =~ "Debugger"
| extend IsWinlogonHijack = RegistryKey has "Winlogon" and RegistryValueName in~ ("Userinit", "Shell")
| project Timestamp, DeviceName, AccountName, ActionType,
RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
IsPersistenceKey, IsDefenseEvasionKey, IsSuspiciousProcess,
IsWDigestEnable, IsDefenderDisable, IsMacroEnable, IsUACBypass, IsIFEO, IsWinlogonHijack
| sort by Timestamp descDetects suspicious Windows Registry modifications using Microsoft Defender for Endpoint DeviceRegistryEvents. Covers key attack patterns: persistence via Run keys, Winlogon hijacking, and IFEO debugger injection; defense evasion via WDigest credential caching enablement, Windows Defender disabling, UAC bypass, and Office macro policy changes. Flags modifications initiated by common LOLBins and scripting interpreters. Each row is annotated with boolean flags identifying the specific attack pattern for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Software installation and update processes legitimately modify Run keys and service registry entries — filter by known installer parent processes (msiexec.exe, setup.exe with code-signed paths)
- Group Policy application (gpsvc, gpscript.exe) modifies Defender and Office macro policy keys during scheduled policy refreshes
- System administrators using reg.exe or PowerShell to apply configuration baselines as part of hardening scripts
- Endpoint management agents (SCCM, Intune, Tanium) that configure system settings via registry modifications during software deployment
- Antivirus and EDR products that legitimately modify Windows Defender registry keys during updates or configuration changes
Other platforms for T1112
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Persistence via Run Key using reg.exe
Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Set): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech_test, Details=C:\Windows\System32\cmd.exe /c echo persistence_test, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 1 (Process Create): Image=reg.exe with CommandLine showing add and Run key path. Security Event ID 4657 if SACL auditing is configured on the Run key.
- Test 2Enable WDigest Plaintext Credential Caching
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\UseLogonCredential, Details=DWORD (0x00000001), Image=C:\Windows\System32\reg.exe. Security Event ID 4657 (if SACL configured on LSA key): OldValue=0 or empty, NewValue=1. Process creation event for reg.exe with the full command line visible.
- Test 3Disable Windows Defender via Registry
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, Details=DWORD (0x00000001). If Tamper Protection is active: Windows Defender Event ID 5001 (Real-time protection disabled) or Event ID 5013 (Tamper protection blocked change) in Microsoft-Windows-Windows Defender/Operational log. Process creation: reg.exe with DisableAntiSpyware in command line.
- Test 4IFEO Debugger Injection for Sticky Keys Backdoor
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe, Image=reg.exe. Sysmon Event ID 1 for reg.exe with full command line. If the backdoor is triggered: Sysmon Event ID 1 showing sethc.exe spawning cmd.exe from the winlogon.exe parent context.
References (12)
- https://attack.mitre.org/techniques/T1112/
- https://learn.microsoft.com/en-us/sysinternals/downloads/reghide
- https://learn.microsoft.com/en-us/sysinternals/downloads/regdelnull
- https://technet.microsoft.com/en-us/library/cc732643.aspx
- https://technet.microsoft.com/en-us/library/cc754820.aspx
- https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657
- https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
- https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
Unlock Pro Content
Get the full detection package for T1112 including response playbook, investigation guide, and atomic red team tests.