title: Modify Registry (T1112)
id: df00tech-t1112
status: experimental
description: "Adversaries may interact with the Windows Registry to aid in defense evasion, persistence, and execution. The Registry may be modified to hide configuration information or malicious payloads, disable security controls (e.g., enabling WDigest plaintext credential caching, disabling Windows Defender, enabling Office macros), establish persistence via run keys or services, and store C2 configuration data. Common tools include the built-in reg.exe utility, PowerShell registry cmdlets (Set-ItemProperty, New-Item), and direct Win32 API calls (RegSetValueEx, RegCreateKeyEx). Adversaries may also target remote registries over SMB using valid accounts, or employ null-byte prefix tricks to create pseudo-hidden keys invisible to standard utilities."
references:
  - https://attack.mitre.org/techniques/T1112/
  - https://df00tech.com/detections/T1112
author: df00tech
date: 2026/04/18
tags:
  - attack.t1112
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installation and update processes legitimately modify Run keys and service registry entries — filter by known installer parent processes (msiexec.exe, setup.exe with code-signed paths)"
  - "Group Policy application (gpsvc, gpscript.exe) modifies Defender and Office macro policy keys during scheduled policy refreshes"
  - System administrators using reg.exe or PowerShell to apply configuration baselines as part of hardening scripts
  - "Endpoint management agents (SCCM, Intune, Tanium) that configure system settings via registry modifications during software deployment"
  - Antivirus and EDR products that legitimately modify Windows Defender registry keys during updates or configuration changes
level: high