T1112 Splunk · SPL

Detect Modify Registry in Splunk

Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities.

MITRE ATT&CK

Tactic
Defense Evasion Persistence
Technique
T1112 Modify Registry
Canonical reference
https://attack.mitre.org/techniques/T1112/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13 OR EventCode=14))
OR (sourcetype="WinEventLog:Security" EventCode=4657)
| eval RegistryPath=coalesce(TargetObject, ObjectName)
| eval ValueName=coalesce(Details, ObjectValueName)
| eval ProcessName=coalesce(Image, ProcessName)
| eval UserName=coalesce(User, SubjectUserName)
| eval IsPersistenceKey=if(match(RegistryPath, "(?i)(CurrentVersion\\Run|CurrentVersion\\RunOnce|Winlogon|\\Services\\|Image File Execution Options)"), 1, 0)
| eval IsDefenseEvasionKey=if(match(RegistryPath, "(?i)(Lsa|Windows Defender|Policies\\\\System|\\\\Office\\|ZoneMap)"), 1, 0)
| eval IsWDigestEnable=if(match(RegistryPath, "(?i)Lsa") AND match(ValueName, "(?i)UseLogonCredential"), 1, 0)
| eval IsDefenderDisable=if(match(RegistryPath, "(?i)Windows Defender") AND match(ValueName, "(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|DisableAntiVirus)"), 1, 0)
| eval IsMacroEnable=if(match(RegistryPath, "(?i)\\\\Security") AND match(ValueName, "(?i)VBAWarnings"), 1, 0)
| eval IsUACBypass=if(match(RegistryPath, "(?i)Policies\\\\System") AND match(ValueName, "(?i)(EnableLUA|ConsentPromptBehaviorAdmin)"), 1, 0)
| eval IsIFEO=if(match(RegistryPath, "(?i)Image File Execution Options") AND match(ValueName, "(?i)Debugger"), 1, 0)
| eval IsWinlogonHijack=if(match(RegistryPath, "(?i)Winlogon") AND match(ValueName, "(?i)(Userinit|Shell)"), 1, 0)
| eval IsSuspiciousProcess=if(match(ProcessName, "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|wmic\.exe|certutil\.exe|reg\.exe)"), 1, 0)
| eval RiskScore=IsPersistenceKey + IsDefenseEvasionKey + IsWDigestEnable*3 + IsDefenderDisable*3 + IsMacroEnable + IsUACBypass*2 + IsIFEO*2 + IsWinlogonHijack*3 + IsSuspiciousProcess
| where (IsPersistenceKey=1 OR IsDefenseEvasionKey=1) AND RiskScore > 0
| table _time, host, UserName, ProcessName, EventCode, RegistryPath, ValueName,
        IsPersistenceKey, IsDefenseEvasionKey, IsWDigestEnable, IsDefenderDisable,
        IsMacroEnable, IsUACBypass, IsIFEO, IsWinlogonHijack, IsSuspiciousProcess, RiskScore
| sort - RiskScore, - _time
high severity medium confidence

Detects suspicious registry modifications using Sysmon Event IDs 12 (Registry key create/delete), 13 (Registry value set), and 14 (Registry key/value rename), supplemented by Security Event ID 4657 (registry value modified, requires SACL auditing). Evaluates modifications against known persistence and defense evasion registry paths, assigning weighted risk scores. High-risk patterns (WDigest enablement, Defender disablement, Winlogon hijacking) carry elevated scores. Results sorted by risk score to surface highest-priority events first.

Data Sources

Windows Registry: Windows Registry Key ModificationSysmon Event ID 12 (Registry Object Create/Delete)Sysmon Event ID 13 (Registry Value Set)Sysmon Event ID 14 (Registry Key/Value Rename)Windows Security Event ID 4657

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Software installation and update processes legitimately modify Run keys and service registry entries — filter by known installer parent processes (msiexec.exe, setup.exe with code-signed paths)
  • Group Policy application modifies Defender and Office macro policy keys during scheduled policy refreshes (gpscript.exe parent)
  • Endpoint management agents (SCCM, Intune) that configure system settings via registry modifications during software deployment
  • Legitimate security hardening scripts executed by IT administrators using reg.exe or PowerShell to apply CIS benchmarks
Download portable Sigma rule (.yml)

Other platforms for T1112

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Persistence via Run Key using reg.exe

    Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Set): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech_test, Details=C:\Windows\System32\cmd.exe /c echo persistence_test, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 1 (Process Create): Image=reg.exe with CommandLine showing add and Run key path. Security Event ID 4657 if SACL auditing is configured on the Run key.

  2. Test 2Enable WDigest Plaintext Credential Caching

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\UseLogonCredential, Details=DWORD (0x00000001), Image=C:\Windows\System32\reg.exe. Security Event ID 4657 (if SACL configured on LSA key): OldValue=0 or empty, NewValue=1. Process creation event for reg.exe with the full command line visible.

  3. Test 3Disable Windows Defender via Registry

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, Details=DWORD (0x00000001). If Tamper Protection is active: Windows Defender Event ID 5001 (Real-time protection disabled) or Event ID 5013 (Tamper protection blocked change) in Microsoft-Windows-Windows Defender/Operational log. Process creation: reg.exe with DisableAntiSpyware in command line.

  4. Test 4IFEO Debugger Injection for Sticky Keys Backdoor

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe, Image=reg.exe. Sysmon Event ID 1 for reg.exe with full command line. If the backdoor is triggered: Sysmon Event ID 1 showing sethc.exe spawning cmd.exe from the winlogon.exe parent context.

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1112 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1547.001Registry Run Keys / Startup FolderT1562.001Disable or Modify ToolsT1003.001LSASS MemoryT1546.008Accessibility FeaturesT1548.002Bypass User Account ControlT1027.011Fileless StorageT1543.003Windows ServiceT1059.001PowerShellT1021.002SMB/Windows Admin Shares

Same Tactic: Defense Evasion

Popular Detections