Detect Modify Registry in Sumo Logic CSE
Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1112 Modify Registry
- Canonical reference
- https://attack.mitre.org/techniques/T1112/
Sumo Detection Query
_sourceCategory="windows/*" ("EventCode=4657" OR "EventCode=12" OR "EventCode=13" OR "EventCode=14")
| parse "TargetObject=*" as registry_path nodrop
| parse "ObjectName=*" as object_name nodrop
| parse "Image=*" as sysmon_process nodrop
| parse "ProcessName=*" as sec_process_name nodrop
| parse "User=*" as sysmon_user nodrop
| parse "SubjectUserName=*" as sec_user nodrop
| parse "Details=*" as sysmon_value_data nodrop
| parse "ObjectValueName=*" as value_name nodrop
| if (!isNull(registry_path), registry_path, object_name) as registry_path
| if (!isNull(sysmon_process), sysmon_process, sec_process_name) as process_name
| if (!isNull(sysmon_user), sysmon_user, sec_user) as user_name
| where (
registry_path matches "*CurrentVersion\\Run*"
OR registry_path matches "*CurrentVersion\\RunOnce*"
OR registry_path matches "*Winlogon*"
OR registry_path matches "*\\Services\\*"
OR registry_path matches "*Image File Execution Options*"
OR registry_path matches "*\\Lsa*"
OR registry_path matches "*Windows Defender*"
OR registry_path matches "*Policies\\System*"
OR registry_path matches "*\\Office\\*"
OR registry_path matches "*ZoneMap*"
)
| if (registry_path matches "*CurrentVersion\\Run*" OR registry_path matches "*Winlogon*" OR registry_path matches "*\\Services\\*" OR registry_path matches "*Image File Execution Options*", 1, 0) as is_persistence_key
| if (registry_path matches "*\\Lsa*" OR registry_path matches "*Windows Defender*" OR registry_path matches "*Policies\\System*" OR registry_path matches "*\\Office\\*" OR registry_path matches "*ZoneMap*", 1, 0) as is_defense_evasion_key
| if (registry_path matches "*\\Lsa*" AND value_name matches "*UseLogonCredential*", 1, 0) as is_wdigest_enable
| if (registry_path matches "*Windows Defender*" AND (value_name matches "*DisableAntiSpyware*" OR value_name matches "*DisableRealtimeMonitoring*"), 1, 0) as is_defender_disable
| if (registry_path matches "*Policies\\System*" AND (value_name matches "*EnableLUA*" OR value_name matches "*ConsentPromptBehaviorAdmin*"), 1, 0) as is_uac_bypass
| if (registry_path matches "*Image File Execution Options*" AND value_name matches "*Debugger*", 1, 0) as is_ifeo
| if (registry_path matches "*Winlogon*" AND (value_name matches "*Userinit*" OR value_name matches "*Shell*"), 1, 0) as is_winlogon_hijack
| if (process_name matches "*powershell.exe*" OR process_name matches "*cmd.exe*" OR process_name matches "*wscript.exe*" OR process_name matches "*cscript.exe*" OR process_name matches "*mshta.exe*" OR process_name matches "*rundll32.exe*" OR process_name matches "*regsvr32.exe*" OR process_name matches "*reg.exe*" OR process_name matches "*wmic.exe*" OR process_name matches "*certutil.exe*", 1, 0) as is_suspicious_process
| (is_persistence_key + is_defense_evasion_key + (is_wdigest_enable * 3) + (is_defender_disable * 3) + is_uac_bypass * 2 + is_ifeo * 2 + is_winlogon_hijack * 3 + is_suspicious_process) as risk_score
| where risk_score > 0
| fields _messagetime, _sourceHost, user_name, process_name, registry_path, value_name, is_persistence_key, is_defense_evasion_key, is_wdigest_enable, is_defender_disable, is_uac_bypass, is_ifeo, is_winlogon_hijack, is_suspicious_process, risk_score
| sort by risk_score desc, _messagetime descDetects suspicious Windows Registry modifications targeting persistence and defense evasion keys using Sumo Logic CSE. Parses Windows Security Event 4657 and Sysmon registry events (12/13/14), classifies by key type and specific high-risk value changes, and calculates a weighted risk score to prioritize high-fidelity alerts.
Data Sources
Required Tables
False Positives & Tuning
- Windows Update and Microsoft Update processes legitimately modify services registry keys and Windows Defender policy entries during patch cycles.
- Enterprise endpoint management solutions (SCCM, Tanium, CrowdStrike) write to run keys and policy registry paths as part of normal agent operations.
- Software development activity including IDE plugins and build systems may invoke msbuild.exe or PowerShell against registry keys during build or test workflows.
Other platforms for T1112
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Persistence via Run Key using reg.exe
Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Set): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech_test, Details=C:\Windows\System32\cmd.exe /c echo persistence_test, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 1 (Process Create): Image=reg.exe with CommandLine showing add and Run key path. Security Event ID 4657 if SACL auditing is configured on the Run key.
- Test 2Enable WDigest Plaintext Credential Caching
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\UseLogonCredential, Details=DWORD (0x00000001), Image=C:\Windows\System32\reg.exe. Security Event ID 4657 (if SACL configured on LSA key): OldValue=0 or empty, NewValue=1. Process creation event for reg.exe with the full command line visible.
- Test 3Disable Windows Defender via Registry
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, Details=DWORD (0x00000001). If Tamper Protection is active: Windows Defender Event ID 5001 (Real-time protection disabled) or Event ID 5013 (Tamper protection blocked change) in Microsoft-Windows-Windows Defender/Operational log. Process creation: reg.exe with DisableAntiSpyware in command line.
- Test 4IFEO Debugger Injection for Sticky Keys Backdoor
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe, Image=reg.exe. Sysmon Event ID 1 for reg.exe with full command line. If the backdoor is triggered: Sysmon Event ID 1 showing sethc.exe spawning cmd.exe from the winlogon.exe parent context.
References (12)
- https://attack.mitre.org/techniques/T1112/
- https://learn.microsoft.com/en-us/sysinternals/downloads/reghide
- https://learn.microsoft.com/en-us/sysinternals/downloads/regdelnull
- https://technet.microsoft.com/en-us/library/cc732643.aspx
- https://technet.microsoft.com/en-us/library/cc754820.aspx
- https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657
- https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
- https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
Unlock Pro Content
Get the full detection package for T1112 including response playbook, investigation guide, and atomic red team tests.