Windows Registry, Data Source DS0024

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Windows Registry, Data Source DS0024 | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-expanded="true" aria-controls="#sidebar-collapse" aria-selected="false">DATA SOURCES <i class="fa-solid fa-fw fa-chevron-down"></i> <i class="fa-solid fa-fw fa-chevron-up"></i> </div> <div class="checkbox-div" id="v-home-tab" aria-selected="false"> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="enterpriseSwitch" onchange="filterTables(enterpriseSwitch, icsSwitch)"> <label class="custom-control-label" for="enterpriseSwitch">Enterprise</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="mobileSwitch" onchange="filterTables(mobileSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="mobileSwitch">Mobile</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="icsSwitch" onchange="filterTables(icsSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="icsSwitch">ICS</label> </div> </div> <br class="br-mobile"> <div class="sidenav-list collapse show" id="sidebar-collapse" aria-labelledby="v-home-tab"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026"> <a href="/datasources/DS0026/"> Active Directory </a> <div class="expand-button collapsed" id="DS0026-header" data-toggle="collapse" data-target="#DS0026-body" aria-expanded="false" aria-controls="#DS0026-body"></div> </div> <div class="sidenav-body collapse" id="DS0026-body" aria-labelledby="DS0026-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Credential Request"> <a href="/datasources/DS0026/#Active%20Directory%20Credential%20Request"> Active Directory Credential Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Access"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Access"> Active Directory Object Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Creation"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Creation"> Active Directory Object Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Deletion"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Deletion"> Active Directory Object Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Modification"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Modification"> Active Directory Object Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015"> <a href="/datasources/DS0015/"> Application Log </a> <div class="expand-button collapsed" id="DS0015-header" data-toggle="collapse" data-target="#DS0015-body" aria-expanded="false" aria-controls="#DS0015-body"></div> </div> <div class="sidenav-body collapse" id="DS0015-body" aria-labelledby="DS0015-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015-Application Log Content"> <a href="/datasources/DS0015/#Application%20Log%20Content"> Application Log Content </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041"> <a href="/datasources/DS0041/"> Application Vetting </a> <div class="expand-button collapsed" id="DS0041-header" data-toggle="collapse" data-target="#DS0041-body" aria-expanded="false" aria-controls="#DS0041-body"></div> </div> <div class="sidenav-body collapse" id="DS0041-body" aria-labelledby="DS0041-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-API Calls"> <a href="/datasources/DS0041/#API%20Calls"> API Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Application Assets"> <a href="/datasources/DS0041/#Application%20Assets"> Application Assets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Network Communication"> <a href="/datasources/DS0041/#Network%20Communication"> Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Permissions Requests"> <a href="/datasources/DS0041/#Permissions%20Requests"> Permissions Requests </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Protected Configuration"> <a href="/datasources/DS0041/#Protected%20Configuration"> Protected Configuration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039"> <a href="/datasources/DS0039/"> Asset </a> <div class="expand-button collapsed" id="DS0039-header" data-toggle="collapse" data-target="#DS0039-body" aria-expanded="false" aria-controls="#DS0039-body"></div> </div> <div class="sidenav-body collapse" id="DS0039-body" aria-labelledby="DS0039-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Asset Inventory"> <a href="/datasources/DS0039/#Asset%20Inventory"> Asset Inventory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Software"> <a href="/datasources/DS0039/#Software"> Software </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037"> <a href="/datasources/DS0037/"> Certificate </a> <div class="expand-button collapsed" id="DS0037-header" data-toggle="collapse" data-target="#DS0037-body" aria-expanded="false" aria-controls="#DS0037-body"></div> </div> <div class="sidenav-body collapse" id="DS0037-body" aria-labelledby="DS0037-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037-Certificate Registration"> <a href="/datasources/DS0037/#Certificate%20Registration"> Certificate Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025"> <a href="/datasources/DS0025/"> Cloud Service </a> <div class="expand-button collapsed" id="DS0025-header" data-toggle="collapse" data-target="#DS0025-body" aria-expanded="false" aria-controls="#DS0025-body"></div> </div> <div class="sidenav-body collapse" id="DS0025-body" aria-labelledby="DS0025-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Disable"> <a href="/datasources/DS0025/#Cloud%20Service%20Disable"> Cloud Service Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Enumeration"> <a href="/datasources/DS0025/#Cloud%20Service%20Enumeration"> Cloud Service Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Metadata"> <a href="/datasources/DS0025/#Cloud%20Service%20Metadata"> Cloud Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Modification"> <a href="/datasources/DS0025/#Cloud%20Service%20Modification"> Cloud Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010"> <a href="/datasources/DS0010/"> Cloud Storage </a> <div class="expand-button collapsed" id="DS0010-header" data-toggle="collapse" data-target="#DS0010-body" aria-expanded="false" aria-controls="#DS0010-body"></div> </div> <div class="sidenav-body collapse" id="DS0010-body" aria-labelledby="DS0010-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Access"> <a href="/datasources/DS0010/#Cloud%20Storage%20Access"> Cloud Storage Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Creation"> <a href="/datasources/DS0010/#Cloud%20Storage%20Creation"> Cloud Storage Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Deletion"> <a href="/datasources/DS0010/#Cloud%20Storage%20Deletion"> Cloud Storage Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Enumeration"> <a href="/datasources/DS0010/#Cloud%20Storage%20Enumeration"> Cloud Storage Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Metadata"> <a href="/datasources/DS0010/#Cloud%20Storage%20Metadata"> Cloud Storage Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Modification"> <a href="/datasources/DS0010/#Cloud%20Storage%20Modification"> Cloud Storage Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017"> <a href="/datasources/DS0017/"> Command </a> <div class="expand-button collapsed" id="DS0017-header" data-toggle="collapse" data-target="#DS0017-body" aria-expanded="false" aria-controls="#DS0017-body"></div> </div> <div class="sidenav-body collapse" id="DS0017-body" aria-labelledby="DS0017-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017-Command Execution"> <a href="/datasources/DS0017/#Command%20Execution"> Command Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032"> <a href="/datasources/DS0032/"> Container </a> <div class="expand-button collapsed" id="DS0032-header" data-toggle="collapse" data-target="#DS0032-body" aria-expanded="false" aria-controls="#DS0032-body"></div> </div> <div class="sidenav-body collapse" id="DS0032-body" aria-labelledby="DS0032-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Creation"> <a href="/datasources/DS0032/#Container%20Creation"> Container Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Enumeration"> <a href="/datasources/DS0032/#Container%20Enumeration"> Container Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Start"> <a href="/datasources/DS0032/#Container%20Start"> Container Start </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038"> <a href="/datasources/DS0038/"> Domain Name </a> <div class="expand-button collapsed" id="DS0038-header" data-toggle="collapse" data-target="#DS0038-body" aria-expanded="false" aria-controls="#DS0038-body"></div> </div> <div class="sidenav-body collapse" id="DS0038-body" aria-labelledby="DS0038-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Active DNS"> <a href="/datasources/DS0038/#Active%20DNS"> Active DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Domain Registration"> <a href="/datasources/DS0038/#Domain%20Registration"> Domain Registration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Passive DNS"> <a href="/datasources/DS0038/#Passive%20DNS"> Passive DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016"> <a href="/datasources/DS0016/"> Drive </a> <div class="expand-button collapsed" id="DS0016-header" data-toggle="collapse" data-target="#DS0016-body" aria-expanded="false" aria-controls="#DS0016-body"></div> </div> <div class="sidenav-body collapse" id="DS0016-body" aria-labelledby="DS0016-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Access"> <a href="/datasources/DS0016/#Drive%20Access"> Drive Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016-Drive Creation"> <a href="/datasources/DS0016/#Drive%20Creation"> Drive Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Modification"> <a href="/datasources/DS0016/#Drive%20Modification"> Drive Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027"> <a href="/datasources/DS0027/"> Driver </a> <div class="expand-button collapsed" id="DS0027-header" data-toggle="collapse" data-target="#DS0027-body" aria-expanded="false" aria-controls="#DS0027-body"></div> </div> <div class="sidenav-body collapse" id="DS0027-body" aria-labelledby="DS0027-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Load"> <a href="/datasources/DS0027/#Driver%20Load"> Driver Load </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Metadata"> <a href="/datasources/DS0027/#Driver%20Metadata"> Driver Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022"> <a href="/datasources/DS0022/"> File </a> <div class="expand-button collapsed" id="DS0022-header" data-toggle="collapse" data-target="#DS0022-body" aria-expanded="false" aria-controls="#DS0022-body"></div> </div> <div class="sidenav-body collapse" id="DS0022-body" aria-labelledby="DS0022-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Access"> <a href="/datasources/DS0022/#File%20Access"> File Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Creation"> <a href="/datasources/DS0022/#File%20Creation"> File Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Deletion"> <a href="/datasources/DS0022/#File%20Deletion"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Metadata"> <a href="/datasources/DS0022/#File%20Metadata"> File Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Modification"> <a href="/datasources/DS0022/#File%20Modification"> File Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018"> <a href="/datasources/DS0018/"> Firewall </a> <div class="expand-button collapsed" id="DS0018-header" data-toggle="collapse" data-target="#DS0018-body" aria-expanded="false" aria-controls="#DS0018-body"></div> </div> <div class="sidenav-body collapse" id="DS0018-body" aria-labelledby="DS0018-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Disable"> <a href="/datasources/DS0018/#Firewall%20Disable"> Firewall Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Enumeration"> <a href="/datasources/DS0018/#Firewall%20Enumeration"> Firewall Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Metadata"> <a href="/datasources/DS0018/#Firewall%20Metadata"> Firewall Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Rule Modification"> <a href="/datasources/DS0018/#Firewall%20Rule%20Modification"> Firewall Rule Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001"> <a href="/datasources/DS0001/"> Firmware </a> <div class="expand-button collapsed" id="DS0001-header" data-toggle="collapse" data-target="#DS0001-body" aria-expanded="false" aria-controls="#DS0001-body"></div> </div> <div class="sidenav-body collapse" id="DS0001-body" aria-labelledby="DS0001-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001-Firmware Modification"> <a href="/datasources/DS0001/#Firmware%20Modification"> Firmware Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036"> <a href="/datasources/DS0036/"> Group </a> <div class="expand-button collapsed" id="DS0036-header" data-toggle="collapse" data-target="#DS0036-body" aria-expanded="false" aria-controls="#DS0036-body"></div> </div> <div class="sidenav-body collapse" id="DS0036-body" aria-labelledby="DS0036-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Enumeration"> <a href="/datasources/DS0036/#Group%20Enumeration"> Group Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Metadata"> <a href="/datasources/DS0036/#Group%20Metadata"> Group Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Modification"> <a href="/datasources/DS0036/#Group%20Modification"> Group Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007"> <a href="/datasources/DS0007/"> Image </a> <div class="expand-button collapsed" id="DS0007-header" data-toggle="collapse" data-target="#DS0007-body" aria-expanded="false" aria-controls="#DS0007-body"></div> </div> <div class="sidenav-body collapse" id="DS0007-body" aria-labelledby="DS0007-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Creation"> <a href="/datasources/DS0007/#Image%20Creation"> Image Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Deletion"> <a href="/datasources/DS0007/#Image%20Deletion"> Image Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Metadata"> <a href="/datasources/DS0007/#Image%20Metadata"> Image Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Modification"> <a href="/datasources/DS0007/#Image%20Modification"> Image Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030"> <a href="/datasources/DS0030/"> Instance </a> <div class="expand-button collapsed" id="DS0030-header" data-toggle="collapse" data-target="#DS0030-body" aria-expanded="false" aria-controls="#DS0030-body"></div> </div> <div class="sidenav-body collapse" id="DS0030-body" aria-labelledby="DS0030-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Creation"> <a href="/datasources/DS0030/#Instance%20Creation"> Instance Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Deletion"> <a href="/datasources/DS0030/#Instance%20Deletion"> Instance Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Enumeration"> <a href="/datasources/DS0030/#Instance%20Enumeration"> Instance Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Metadata"> <a href="/datasources/DS0030/#Instance%20Metadata"> Instance Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Modification"> <a href="/datasources/DS0030/#Instance%20Modification"> Instance Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Start"> <a href="/datasources/DS0030/#Instance%20Start"> Instance Start </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Stop"> <a href="/datasources/DS0030/#Instance%20Stop"> Instance Stop </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035"> <a href="/datasources/DS0035/"> Internet Scan </a> <div class="expand-button collapsed" id="DS0035-header" data-toggle="collapse" data-target="#DS0035-body" aria-expanded="false" aria-controls="#DS0035-body"></div> </div> <div class="sidenav-body collapse" id="DS0035-body" aria-labelledby="DS0035-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Content"> <a href="/datasources/DS0035/#Response%20Content"> Response Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Metadata"> <a href="/datasources/DS0035/#Response%20Metadata"> Response Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008"> <a href="/datasources/DS0008/"> Kernel </a> <div class="expand-button collapsed" id="DS0008-header" data-toggle="collapse" data-target="#DS0008-body" aria-expanded="false" aria-controls="#DS0008-body"></div> </div> <div class="sidenav-body collapse" id="DS0008-body" aria-labelledby="DS0008-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008-Kernel Module Load"> <a href="/datasources/DS0008/#Kernel%20Module%20Load"> Kernel Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028"> <a href="/datasources/DS0028/"> Logon Session </a> <div class="expand-button collapsed" id="DS0028-header" data-toggle="collapse" data-target="#DS0028-body" aria-expanded="false" aria-controls="#DS0028-body"></div> </div> <div class="sidenav-body collapse" id="DS0028-body" aria-labelledby="DS0028-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Creation"> <a href="/datasources/DS0028/#Logon%20Session%20Creation"> Logon Session Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Metadata"> <a href="/datasources/DS0028/#Logon%20Session%20Metadata"> Logon Session Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004"> <a href="/datasources/DS0004/"> Malware Repository </a> <div class="expand-button collapsed" id="DS0004-header" data-toggle="collapse" data-target="#DS0004-body" aria-expanded="false" aria-controls="#DS0004-body"></div> </div> <div class="sidenav-body collapse" id="DS0004-body" aria-labelledby="DS0004-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Content"> <a href="/datasources/DS0004/#Malware%20Content"> Malware Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Metadata"> <a href="/datasources/DS0004/#Malware%20Metadata"> Malware Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011"> <a href="/datasources/DS0011/"> Module </a> <div class="expand-button collapsed" id="DS0011-header" data-toggle="collapse" data-target="#DS0011-body" aria-expanded="false" aria-controls="#DS0011-body"></div> </div> <div class="sidenav-body collapse" id="DS0011-body" aria-labelledby="DS0011-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011-Module Load"> <a href="/datasources/DS0011/#Module%20Load"> Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023"> <a href="/datasources/DS0023/"> Named Pipe </a> <div class="expand-button collapsed" id="DS0023-header" data-toggle="collapse" data-target="#DS0023-body" aria-expanded="false" aria-controls="#DS0023-body"></div> </div> <div class="sidenav-body collapse" id="DS0023-body" aria-labelledby="DS0023-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023-Named Pipe Metadata"> <a href="/datasources/DS0023/#Named%20Pipe%20Metadata"> Named Pipe Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033"> <a href="/datasources/DS0033/"> Network Share </a> <div class="expand-button collapsed" id="DS0033-header" data-toggle="collapse" data-target="#DS0033-body" aria-expanded="false" aria-controls="#DS0033-body"></div> </div> <div class="sidenav-body collapse" id="DS0033-body" aria-labelledby="DS0033-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033-Network Share Access"> <a href="/datasources/DS0033/#Network%20Share%20Access"> Network Share Access </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029"> <a href="/datasources/DS0029/"> Network Traffic </a> <div class="expand-button collapsed" id="DS0029-header" data-toggle="collapse" data-target="#DS0029-body" aria-expanded="false" aria-controls="#DS0029-body"></div> </div> <div class="sidenav-body collapse" id="DS0029-body" aria-labelledby="DS0029-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Connection Creation"> <a href="/datasources/DS0029/#Network%20Connection%20Creation"> Network Connection Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Content"> <a href="/datasources/DS0029/#Network%20Traffic%20Content"> Network Traffic Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Flow"> <a href="/datasources/DS0029/#Network%20Traffic%20Flow"> Network Traffic Flow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040"> <a href="/datasources/DS0040/"> Operational Databases </a> <div class="expand-button collapsed" id="DS0040-header" data-toggle="collapse" data-target="#DS0040-body" aria-expanded="false" aria-controls="#DS0040-body"></div> </div> <div class="sidenav-body collapse" id="DS0040-body" aria-labelledby="DS0040-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Device Alarm"> <a href="/datasources/DS0040/#Device%20Alarm"> Device Alarm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process History/Live Data"> <a href="/datasources/DS0040/#Process%20History/Live%20Data"> Process History/Live Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process/Event Alarm"> <a href="/datasources/DS0040/#Process/Event%20Alarm"> Process/Event Alarm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021"> <a href="/datasources/DS0021/"> Persona </a> <div class="expand-button collapsed" id="DS0021-header" data-toggle="collapse" data-target="#DS0021-body" aria-expanded="false" aria-controls="#DS0021-body"></div> </div> <div class="sidenav-body collapse" id="DS0021-body" aria-labelledby="DS0021-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021-Social Media"> <a href="/datasources/DS0021/#Social%20Media"> Social Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014"> <a href="/datasources/DS0014/"> Pod </a> <div class="expand-button collapsed" id="DS0014-header" data-toggle="collapse" data-target="#DS0014-body" aria-expanded="false" aria-controls="#DS0014-body"></div> </div> <div class="sidenav-body collapse" id="DS0014-body" aria-labelledby="DS0014-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Creation"> <a href="/datasources/DS0014/#Pod%20Creation"> Pod Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Enumeration"> <a href="/datasources/DS0014/#Pod%20Enumeration"> Pod Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Modification"> <a href="/datasources/DS0014/#Pod%20Modification"> Pod Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009"> <a href="/datasources/DS0009/"> Process </a> <div class="expand-button collapsed" id="DS0009-header" data-toggle="collapse" data-target="#DS0009-body" aria-expanded="false" aria-controls="#DS0009-body"></div> </div> <div class="sidenav-body collapse" id="DS0009-body" aria-labelledby="DS0009-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0009-OS API Execution"> <a href="/datasources/DS0009/#OS%20API%20Execution"> OS API Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Access"> <a href="/datasources/DS0009/#Process%20Access"> Process Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Creation"> <a href="/datasources/DS0009/#Process%20Creation"> Process Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Metadata"> <a href="/datasources/DS0009/#Process%20Metadata"> Process Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Modification"> <a href="/datasources/DS0009/#Process%20Modification"> Process Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Termination"> <a href="/datasources/DS0009/#Process%20Termination"> Process Termination </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003"> <a href="/datasources/DS0003/"> Scheduled Job </a> <div class="expand-button collapsed" id="DS0003-header" data-toggle="collapse" data-target="#DS0003-body" aria-expanded="false" aria-controls="#DS0003-body"></div> </div> <div class="sidenav-body collapse" id="DS0003-body" aria-labelledby="DS0003-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Creation"> <a href="/datasources/DS0003/#Scheduled%20Job%20Creation"> Scheduled Job Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0003-Scheduled Job Metadata"> <a href="/datasources/DS0003/#Scheduled%20Job%20Metadata"> Scheduled Job Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Modification"> <a href="/datasources/DS0003/#Scheduled%20Job%20Modification"> Scheduled Job Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012"> <a href="/datasources/DS0012/"> Script </a> <div class="expand-button collapsed" id="DS0012-header" data-toggle="collapse" data-target="#DS0012-body" aria-expanded="false" aria-controls="#DS0012-body"></div> </div> <div class="sidenav-body collapse" id="DS0012-body" aria-labelledby="DS0012-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012-Script Execution"> <a href="/datasources/DS0012/#Script%20Execution"> Script Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013"> <a href="/datasources/DS0013/"> Sensor Health </a> <div class="expand-button collapsed" id="DS0013-header" data-toggle="collapse" data-target="#DS0013-body" aria-expanded="false" aria-controls="#DS0013-body"></div> </div> <div class="sidenav-body collapse" id="DS0013-body" aria-labelledby="DS0013-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013-Host Status"> <a href="/datasources/DS0013/#Host%20Status"> Host Status </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019"> <a href="/datasources/DS0019/"> Service </a> <div class="expand-button collapsed" id="DS0019-header" data-toggle="collapse" data-target="#DS0019-body" aria-expanded="false" aria-controls="#DS0019-body"></div> </div> <div class="sidenav-body collapse" id="DS0019-body" aria-labelledby="DS0019-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Creation"> <a href="/datasources/DS0019/#Service%20Creation"> Service Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Metadata"> <a href="/datasources/DS0019/#Service%20Metadata"> Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Modification"> <a href="/datasources/DS0019/#Service%20Modification"> Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020"> <a href="/datasources/DS0020/"> Snapshot </a> <div class="expand-button collapsed" id="DS0020-header" data-toggle="collapse" data-target="#DS0020-body" aria-expanded="false" aria-controls="#DS0020-body"></div> </div> <div class="sidenav-body collapse" id="DS0020-body" aria-labelledby="DS0020-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Creation"> <a href="/datasources/DS0020/#Snapshot%20Creation"> Snapshot Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Deletion"> <a href="/datasources/DS0020/#Snapshot%20Deletion"> Snapshot Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Enumeration"> <a href="/datasources/DS0020/#Snapshot%20Enumeration"> Snapshot Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Metadata"> <a href="/datasources/DS0020/#Snapshot%20Metadata"> Snapshot Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Modification"> <a href="/datasources/DS0020/#Snapshot%20Modification"> Snapshot Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002"> <a href="/datasources/DS0002/"> User Account </a> <div class="expand-button collapsed" id="DS0002-header" data-toggle="collapse" data-target="#DS0002-body" aria-expanded="false" aria-controls="#DS0002-body"></div> </div> <div class="sidenav-body collapse" id="DS0002-body" aria-labelledby="DS0002-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002-User Account Authentication"> <a href="/datasources/DS0002/#User%20Account%20Authentication"> User Account Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Creation"> <a href="/datasources/DS0002/#User%20Account%20Creation"> User Account Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Deletion"> <a href="/datasources/DS0002/#User%20Account%20Deletion"> User Account Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Metadata"> <a href="/datasources/DS0002/#User%20Account%20Metadata"> User Account Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Modification"> <a href="/datasources/DS0002/#User%20Account%20Modification"> User Account Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042"> <a href="/datasources/DS0042/"> User Interface </a> <div class="expand-button collapsed" id="DS0042-header" data-toggle="collapse" data-target="#DS0042-body" aria-expanded="false" aria-controls="#DS0042-body"></div> </div> <div class="sidenav-body collapse" id="DS0042-body" aria-labelledby="DS0042-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-Permissions Request"> <a href="/datasources/DS0042/#Permissions%20Request"> Permissions Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Notifications"> <a href="/datasources/DS0042/#System%20Notifications"> System Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Settings"> <a href="/datasources/DS0042/#System%20Settings"> System Settings </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034"> <a href="/datasources/DS0034/"> Volume </a> <div class="expand-button collapsed" id="DS0034-header" data-toggle="collapse" data-target="#DS0034-body" aria-expanded="false" aria-controls="#DS0034-body"></div> </div> <div class="sidenav-body collapse" id="DS0034-body" aria-labelledby="DS0034-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Creation"> <a href="/datasources/DS0034/#Volume%20Creation"> Volume Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Deletion"> <a href="/datasources/DS0034/#Volume%20Deletion"> Volume Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Enumeration"> <a href="/datasources/DS0034/#Volume%20Enumeration"> Volume Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Metadata"> <a href="/datasources/DS0034/#Volume%20Metadata"> Volume Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Modification"> <a href="/datasources/DS0034/#Volume%20Modification"> Volume Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006"> <a href="/datasources/DS0006/"> Web Credential </a> <div class="expand-button collapsed" id="DS0006-header" data-toggle="collapse" data-target="#DS0006-body" aria-expanded="false" aria-controls="#DS0006-body"></div> </div> <div class="sidenav-body collapse" id="DS0006-body" aria-labelledby="DS0006-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Creation"> <a href="/datasources/DS0006/#Web%20Credential%20Creation"> Web Credential Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Usage"> <a href="/datasources/DS0006/#Web%20Credential%20Usage"> Web Credential Usage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active enterprise ics " id="DS0024"> <a href="/datasources/DS0024/"> Windows Registry </a> <div class="expand-button collapsed" id="DS0024-header" data-toggle="collapse" data-target="#DS0024-body" aria-expanded="false" aria-controls="#DS0024-body"></div> </div> <div class="sidenav-body collapse" id="DS0024-body" aria-labelledby="DS0024-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Access"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Access"> Windows Registry Key Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Creation"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Creation"> Windows Registry Key Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Deletion"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Deletion"> Windows Registry Key Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Modification"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification"> Windows Registry Key Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005"> <a href="/datasources/DS0005/"> WMI </a> <div class="expand-button collapsed" id="DS0005-header" data-toggle="collapse" data-target="#DS0005-body" aria-expanded="false" aria-controls="#DS0005-body"></div> </div> <div class="sidenav-body collapse" id="DS0005-body" aria-labelledby="DS0005-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005-WMI Creation"> <a href="/datasources/DS0005/#WMI%20Creation"> WMI Creation </a> </div> </div> </div> </div> </div> </div> </div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/datasources/">Data Sources</a></li> <li class="breadcrumb-item">Windows Registry</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Windows Registry </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021."data-reference="Microsoft Registry"><sup><a href="https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">ID: </span>DS0024 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Platform: </span>Windows </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="A description of where the data source may be physically collected (ex: Host, Network, Cloud Control Plane, etc.)">ⓘ</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Collection Layer: </span>Host </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Version</span>: 1.0 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Created: </span>20 October 2021 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Last Modified: </span>11 May 2022 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of DS0024" href="/versions/v16/datasources/DS0024/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of DS0024" href="/versions/v16/datasources/DS0024/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id="datacomponents">Data Components</h2> <div class="row no-techniques-in-data-source-message" style="display: none"> <div class="col-md-12 description-body"> <p>This data source does not have any techniques in the selected domain(s)</p> </div> </div> <div class="row"> <div class="col-md-12 section-view enterprise "> <a class="anchor" id="Windows Registry Key Access"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Windows Registry: Windows Registry Key Access</h4> <div class="description-body"> <p>Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Windows Registry: Windows Registry Key Access</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1652">T1652</a> </td> <td> <a href="/techniques/T1652">Device Driver Discovery</a> </td> <td> <p>Monitor for attempts to access information stored in the Registry about devices and their associated drivers, such as values under <code>HKLM\SYSTEM\CurrentControlSet\Services</code> and <code>HKLM\SYSTEM\CurrentControlSet\HardwareProfiles</code>.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023."data-reference="Microsoft Registry Drivers"><sup><a href="https://learn.microsoft.com/windows-hardware/drivers/install/overview-of-registry-trees-and-keys" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1003">T1003</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a> </td> <td> <p>Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.</p><p>Analytic 1 - Unauthorized registry access to SAM key.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="*\SAM" | where ProcessName IN ("mimikatz.exe", "procdump.exe", "reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/002">.002</a> </td> <td> <a href="/techniques/T1003/002">Security Account Manager</a> </td> <td> <p>Monitor for the SAM registry key dump being created to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised <a href="/techniques/T1078">Valid Accounts</a> in-use by adversaries may help as well.</p><p>Analytic 1 - Unauthorized registry access to SAM key.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="*\SAM" | where ProcessName IN ("reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe", "rundll32.exe", "mimikatz.exe", "procdump.exe") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/004">.004</a> </td> <td> <a href="/techniques/T1003/004">LSA Secrets</a> </td> <td> <p>Monitor for the LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code> being accessed</p><p>Analytic 1 - Unauthorized registry access to LSA secrets.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="<em>\Policy\Secrets</em>" | where ProcessName IN ("reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe", "rundll32.exe", "mimikatz.exe", "procdump.exe") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1012">T1012</a> </td> <td> <a href="/techniques/T1012">Query Registry</a> </td> <td> <p>Monitor for unexpected process interactions with the Windows Registry (i.e. reads) that may be related to gathering information.</p><p>Note: For Security Auditing event ids 4656 and 4663, a System Access Control List (SACL) that controls the use of specific access rights such as Enumerate sub-keys and Query key value is required for event generation. Depending on the Registry key you are monitoring, the implementation of a new System Access Control List (SACL) might be required. Depending of Registry key used for the creation of a System Access Control List (SACL), the generation of event ids 4656 and 4663 might be noisy.</p><p>Analytic 1 - Suspicious Registry</p><p><code>(sourcetype="WinEventLog:Security" EventCode IN (4663, 4656)) AND ObjectType="Key" | WHERE ObjectName LIKE "%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall%" AND (UserAccessList LIKE "%4435%" OR UserAccessList LIKE "%Enumerate sub-keys%" OR UserAccessList LIKE "%4432%" OR UserAccessList LIKE "%Query key value%") AND Image NOT IN ('FilePathToExpectedProcess01.exe','FilePathToExpectedProcess02.exe')</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1649">T1649</a> </td> <td> <a href="/techniques/T1649">Steal or Forge Authentication Certificates</a> </td> <td> <p>Monitor for attempts to access information stored in the Registry about certificates and their associated private keys. For example, user certificates are commonly stored under <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates</code>.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022."data-reference="SpecterOps Certified Pre Owned"><sup><a href="https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022."data-reference="O365 Blog Azure AD Device IDs"><sup><a href="https://o365blog.com/post/deviceidentity/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1614">T1614</a> </td> <td> <a href="/techniques/T1614/001">.001</a> </td> <td> <a href="/techniques/T1614">System Location Discovery</a>: <a href="/techniques/T1614/001">System Language Discovery</a> </td> <td> <p>Monitor for access to windows registry keys that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1033">T1033</a> </td> <td> <a href="/techniques/T1033">System Owner/User Discovery</a> </td> <td> <p>Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1552">T1552</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a> </td> <td> <p>Monitor for unexpected windows registry key being accessed that may search compromised systems to find and obtain insecurely stored credentials.</p><p>Analytic 1 - Unauthorized access to registry keys associated with credentials.</p><p><code> index=security sourcetype="WinEventLog:Microsoft-Windows-Security-Auditing" EventCode=4663 ObjectType="Registry" (ObjectName="<em>password</em>" OR ObjectName="<em>credential</em>") | eval AccessAttempt=case( AccessMask="0x1", "Read", AccessMask="0x2", "Write", AccessMask="0x3", "Read/Write", AccessMask="0x4", "Delete", true(), "Unknown")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1552/002">.002</a> </td> <td> <a href="/techniques/T1552/002">Credentials in Registry</a> </td> <td> <p>Monitor for unexpected windows registry key being accessed that may search the Registry on compromised systems for insecurely stored credentials.</p><p>Analytic 1 - Unauthorized access to registry keys associated with credentials.</p><p><code> ndex=security sourcetype="WinEventLog:Microsoft-Windows-Security-Auditing" EventCode=4663 ObjectType="Registry" (ObjectName="<em>password</em>" OR ObjectName="<em>credential</em>")| eval AccessType=case( AccessMask="0x1", "Read", AccessMask="0x2", "Write", AccessMask="0x3", "Read/Write", AccessMask="0x4", "Delete", true(), "Unknown")</code></p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise "> <a class="anchor" id="Windows Registry Key Creation"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Windows Registry: Windows Registry Key Creation</h4> <div class="description-body"> <p>Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Windows Registry: Windows Registry Key Creation</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a> </td> <td> <p>Monitor for additions of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/001">.001</a> </td> <td> <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p>Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/014">.014</a> </td> <td> <a href="/techniques/T1547/014">Active Setup</a> </td> <td> <p>Monitor Registry key additions to <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\</code>.Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns"><sup><a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span> Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1037">T1037</a> </td> <td> <a href="/techniques/T1037">Boot or Logon Initialization Scripts</a> </td> <td> <p>Monitor for newly constructed windows registry keys that may use scripts automatically executed at boot or logon initialization to establish persistence.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1037/001">.001</a> </td> <td> <a href="/techniques/T1037/001">Logon Script (Windows)</a> </td> <td> <p>Monitor for the creation to Registry keys associated with Windows logon scrips, nameley <code>HKCU\Environment\UserInitMprLogonScript</code>.</p><p>Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.</p><p>Analytic 1 - Boot or Logon Initialization Scripts</p><p><code> (sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode IN (12, 14, 13)) TargetObject= "<em>\Environment</em>UserInitMprLogonScript") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1176">T1176</a> </td> <td> <a href="/techniques/T1176">Browser Extensions</a> </td> <td> <p>Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1543">T1543</a> </td> <td> <a href="/techniques/T1543">Create or Modify System Process</a> </td> <td> <p>Monitor for newly constructed windows registry keys that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/003">.003</a> </td> <td> <a href="/techniques/T1543/003">Windows Service</a> </td> <td> <p>Monitor for new constructed windows registry keys that may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.</p><p>Analytic 1 - Creation of the HKLM\System\CurrentControlSet\Services Registry key</p><p><code> sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="12" TargetObject="HKLM\System\CurrentControlSet\Services*"</code></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562/002">.002</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/002">Disable Windows Event Logging</a> </td> <td> <p>Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021."data-reference="def_ev_win_event_logging"><sup><a href="https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022."data-reference="disable_win_evt_logging"><sup><a href="https://ptylu.github.io/content/report/report.html?report=25" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/009">.009</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/009">Safe Mode Boot</a> </td> <td> <p>Monitor Registry creation for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a <code>*</code> in front of the "Startup" value name: <code>HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{Path}"]</code> or by adding a key to <code>HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal</code>.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021."data-reference="BleepingComputer REvil 2021"><sup><a href="https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021."data-reference="Sophos Snatch Ransomware 2019"><sup><a href="https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Monitor for the addition of network provider Registry keys (e.g., <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider</code>).</p><p>Analytic 1 - Unauthorized addition of network provider Registry keys.</p><p><code> sourcetype=WinEventLog:Security(EventCode=4663 OR EventCode=4657) | eval registry_path=mvindex(split(ObjectName,"\"), 0, mvcount(split(ObjectName,"\"))-1)| search registry_path IN ("HKLM\SYSTEM\CurrentControlSet\Control\Lsa", "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication", "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/008">.008</a> </td> <td> <a href="/techniques/T1556/008">Network Provider DLL</a> </td> <td> <p>Monitor for the addition of network provider Registry keys (e.g., <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider</code>).</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1112">T1112</a> </td> <td> <a href="/techniques/T1112">Modify Registry</a> </td> <td> <p>Monitor for newly constructed registry keys or values to aid in persistence and execution. Detection of creation of registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</code>. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order and adversaries may execute their own malicious dll.</p><p>Analytic 1 - Registry Edit with Creation of SafeDllSearchMode Key Set to 0</p><p><code>((source="<em>WinEventLog:Security" EventCode="4657")(ObjectValueName="SafeDllSearchMode" value="0")) OR ((source="</em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13") EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)")))</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1027">T1027</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p>Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1027/011">.011</a> </td> <td> <a href="/techniques/T1027/011">Fileless Storage</a> </td> <td> <p>Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1137">T1137</a> </td> <td> <a href="/techniques/T1137">Office Application Startup</a> </td> <td> <p>Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019."data-reference="CrowdStrike Outlook Forms"><sup><a href="https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019."data-reference="Outlook Today Home Page"><sup><a href="https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/001">.001</a> </td> <td> <a href="/techniques/T1137/001">Office Template Macros</a> </td> <td> <p>Collect events related to Registry key creation for keys that could be used for Office-based persistence.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019."data-reference="CrowdStrike Outlook Forms"><sup><a href="https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019."data-reference="Outlook Today Home Page"><sup><a href="https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/002">.002</a> </td> <td> <a href="/techniques/T1137/002">Office Test</a> </td> <td> <p>Monitor for the creation of the Office Test Registry key. Collect events related to Registry key creation for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017."data-reference="Palo Alto Office Test Sofacy"><sup><a href="https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/006">.006</a> </td> <td> <a href="/techniques/T1137/006">Add-ins</a> </td> <td> <p>Audit the Registry entries relevant for enabling add-ins.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019."data-reference="GlobalDotName Jun 2019"><sup><a href="https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017."data-reference="MRWLabs Office Persistence Add-ins"><sup><a href="https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1053">T1053</a> </td> <td> <a href="/techniques/T1053/005">.005</a> </td> <td> <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a> </td> <td> <p>Monitor for newly constructed registry keys upon creation of new task. Deletion of values/keys in the registry may further indicate malicious activity.</p><p>Analytic 1 - Suspicious Creations under Schedule Registry Key</p><p><code>((source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="12") OR (sourcetype=WinEventLog:Security EventCode=4657) | search (registry_path="HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\</em>" OR registry_path="HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1553">T1553</a> </td> <td> <a href="/techniques/T1553">Subvert Trust Controls</a> </td> <td> <p>Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under <code>HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</code> and </code>[HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\</code>. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017."data-reference="Tripwire AppUNBlocker"><sup><a href="https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span>* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1553/004">.004</a> </td> <td> <a href="/techniques/T1553/004">Install Root Certificate</a> </td> <td> <p>Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under <code>HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</code> and <code>HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\</code> or <code>HKCU\Policies\Microsoft\SystemCertificates\Root\Certificates\</code></p><p>There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017."data-reference="Tripwire AppUNBlocker"><sup><a href="https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span>* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise ics "> <a class="anchor" id="Windows Registry Key Deletion"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Windows Registry: Windows Registry Key Deletion</h4> <div class="description-body"> <p>Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Windows Registry: Windows Registry Key Deletion</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a> </td> <td> <p>Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/001">.001</a> </td> <td> <a href="/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p>Monitor for deletion of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Microsoft\AMSI\Providers.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/009">.009</a> </td> <td> <a href="/techniques/T1070/009">Clear Persistence</a> </td> <td> <p>Monitor windows registry keys that may be deleted or alter generated artifacts associated with persistence on a host system. </p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0872">T0872</a> </td> <td> <a href="/techniques/T0872">Indicator Removal on Host</a> </td> <td> <p>Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see <a href="/techniques/T1070">Indicator Removal</a> and applicable sub-techniques.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1112">T1112</a> </td> <td> <a href="/techniques/T1112">Modify Registry</a> </td> <td> <p>Monitor for unexpected deletion of windows registry keys to hide configuration information, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. </p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise ics "> <a class="anchor" id="Windows Registry Key Modification"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Windows Registry: Windows Registry Key Modification</h4> <div class="description-body"> <p>Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Windows Registry: Windows Registry Key Modification</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1548">T1548</a> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/002">.002</a> </td> <td> <a href="/techniques/T1548/002">Bypass User Account Control</a> </td> <td> <p>Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:* The <code>eventvwr.exe</code> bypass uses the <code>[HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command</code> Registry key.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016."data-reference="enigma0x3 Fileless UAC Bypass"><sup><a href="https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span>* The <code>sdclt.exe</code> bypass uses the <code>[HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</code> and <code>[HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand</code> Registry keys.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017."data-reference="enigma0x3 sdclt app paths"><sup><a href="https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017."data-reference="enigma0x3 sdclt bypass"><sup><a href="https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span>Analysts should monitor these Registry settings for unauthorized changes.</p><p>UAC Bypass is an interesting technique in that new implementations are regularly found and existing implementations may be fixed (i.e., patched) by Microsoft in new builds of Windows. Therefore, it is important to validate than detections for UAC Bypass are still relevant (i.e., they target non-patched implementations). </p><p>Note: Sysmon Event ID 12 (Registry Key Create/Delete), Sysmon Event ID 13 (Registry Value Set), and Sysmon Event ID 14 (Registry Key and Value Rename) are useful for creating detections around Registry Key Modification in the context of UAC Bypass.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1557">T1557</a> </td> <td> <a href="/techniques/T1557">Adversary-in-the-Middle</a> </td> <td> <p>Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1557/001">.001</a> </td> <td> <a href="/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a> </td> <td> <p>Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0830">T0830</a> </td> <td> <a href="/techniques/T0830">Adversary-in-the-Middle</a> </td> <td> <p>Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a> </td> <td> <p>Monitor for modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/001">.001</a> </td> <td> <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p>Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns"><sup><a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p><p>Detection of the modification of the registry key <code>Common Startup</code> located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.</p><p>Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’</p><p><code>(source="<em>WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="</em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*Common Startup")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/002">.002</a> </td> <td> <a href="/techniques/T1547/002">Authentication Package</a> </td> <td> <p>Monitor the Registry for changes to the LSA Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe</code> with AuditLevel = 8. <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017."data-reference="Graeber 2014"><sup><a href="http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span> <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015."data-reference="Microsoft Configure LSA"><sup><a href="https://technet.microsoft.com/en-us/library/dn408187.aspx" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/003">.003</a> </td> <td> <a href="/techniques/T1547/003">Time Providers</a> </td> <td> <p>Monitor for changes made to windows registry keys and/or values modifying W32Time information in the Registry.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/004">.004</a> </td> <td> <a href="/techniques/T1547/004">Winlogon Helper DLL</a> </td> <td> <p>Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns"><sup><a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p><p>Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify</p><p><code>source="<em>WinEventLog:Security" EventCode="4657" (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify") OR source="</em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" (TargetObject="<em>Userinit" OR TargetObject="</em>Shell" OR TargetObject="*Notify")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/005">.005</a> </td> <td> <a href="/techniques/T1547/005">Security Support Provider</a> </td> <td> <p>Monitor the Registry for changes to the SSP Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe</code> with AuditLevel = 8. <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017."data-reference="Graeber 2014"><sup><a href="http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span> <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015."data-reference="Microsoft Configure LSA"><sup><a href="https://technet.microsoft.com/en-us/library/dn408187.aspx" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/010">.010</a> </td> <td> <a href="/techniques/T1547/010">Port Monitors</a> </td> <td> <p>Monitor Registry writes to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns"><sup><a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/012">.012</a> </td> <td> <a href="/techniques/T1547/012">Print Processors</a> </td> <td> <p>Monitor Registry writes to <code>HKLM\SYSTEM\ControlSet001\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver</code> or <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver</code> as they pertain to print processor installations.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/014">.014</a> </td> <td> <a href="/techniques/T1547/014">Active Setup</a> </td> <td> <p>Monitor Registry key modifications to <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\</code>.Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns"><sup><a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span> Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1543">T1543</a> </td> <td> <a href="/techniques/T1543">Create or Modify System Process</a> </td> <td> <p>Monitor for changes to windows registry keys and/or values that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/003">.003</a> </td> <td> <a href="/techniques/T1543/003">Windows Service</a> </td> <td> <p>Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns"><sup><a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p><p>Analytic 1 - Modification of the HKLM\System\CurrentControlSet\Services Registry key</p><p><code> (sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode IN (13, 14) EventType= "SetValue" TargetObject="HKLM\System\CurrentControlSet\Services*" | where RegistryKeyPath LIKE "%ImagePath%" OR RegistryKeyPath LIKE "%Type%" OR RegistryKeyPath LIKE "%DisplayName%" OR RegistryKeyPath LIKE "%Objectname%"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1074">T1074</a> </td> <td> <a href="/techniques/T1074">Data Staged</a> </td> <td> <p>Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1074/001">.001</a> </td> <td> <a href="/techniques/T1074/001">Local Data Staging</a> </td> <td> <p>Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1546">T1546</a> </td> <td> <a href="/techniques/T1546">Event Triggered Execution</a> </td> <td> <p>Monitor for changes made to windows registry keys and/or values that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/001">.001</a> </td> <td> <a href="/techniques/T1546/001">Change Default File Association</a> </td> <td> <p>Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. User file association preferences are stored under <code> [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts</code> and override associations configured under <code>[HKEY_CLASSES_ROOT]</code>. Changes to a user's preference will occur under this entry's subkeys.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/002">.002</a> </td> <td> <a href="/techniques/T1546/002">Screensaver</a> </td> <td> <p>Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Default screen saver files are stored in C:\Windows\System32. Use these files as a reference when defining list of not suspicious screen saver files.</p><p>Analytic 1 - Registry Edit from Screensaver</p><p><code>source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (13, 14) TargetObject="</em>\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/007">.007</a> </td> <td> <a href="/techniques/T1546/007">Netsh Helper DLL</a> </td> <td> <p>Monitor the <code>HKLM\SOFTWARE\Microsoft\Netsh</code> registry key for any new or suspicious entries that do not correlate with known system files or benign software. <span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017."data-reference="Demaske Netsh Persistence"><sup><a href="https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/008">.008</a> </td> <td> <a href="/techniques/T1546/008">Accessibility Features</a> </td> <td> <p>Monitor Registry keys within <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/009">.009</a> </td> <td> <a href="/techniques/T1546/009">AppCert DLLs</a> </td> <td> <p>Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/010">.010</a> </td> <td> <a href="/techniques/T1546/010">AppInit DLLs</a> </td> <td> <p>Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse.</p><p>Analytic 1 - AppInit DLLs</p><p><code> source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 13, 14) TargetObject= "</em>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls*" OR TargetObject= "*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls*"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/011">.011</a> </td> <td> <a href="/techniques/T1546/011">Application Shimming</a> </td> <td> <p>Monitor for changes to windows registry keys and/or values that may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/012">.012</a> </td> <td> <a href="/techniques/T1546/012">Image File Execution Options Injection</a> </td> <td> <p>Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/015">.015</a> </td> <td> <a href="/techniques/T1546/015">Component Object Model Hijacking</a> </td> <td> <p>There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: <a href="/software/S0075">Reg</a>) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\Software\Classes\CLSID\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016."data-reference="Elastic COM Hijacking"><sup><a href="https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span> Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated.</p><p>Analytic 1 - Component Object Model Hijacking</p><p><code> source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 13, 14) TargetObject= "</em>\Software\Classes\CLSID*"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1564">T1564</a> </td> <td> <a href="/techniques/T1564">Hide Artifacts</a> </td> <td> <p>Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/002">.002</a> </td> <td> <a href="/techniques/T1564/002">Hidden Users</a> </td> <td> <p>Monitor for changes made to windows registry key or values for unexpected modifications of the <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList</code> key.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/005">.005</a> </td> <td> <a href="/techniques/T1564/005">Hidden File System</a> </td> <td> <p>Monitor for changes made to windows registry keys and/or values that may use a hidden file system to conceal malicious activity from users and security tools.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/006">.006</a> </td> <td> <a href="/techniques/T1564/006">Run Virtual Instance</a> </td> <td> <p>Monitor for changes made to Windows Registry keys and/or values that may be the result of using a virtual instance to avoid detection. For example, if virtualization software is installed by the adversary the Registry may provide detection opportunities. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1574">T1574</a> </td> <td> <a href="/techniques/T1574">Hijack Execution Flow</a> </td> <td> <p>Monitor for changes made to windows registry keys and/or values that may execute their own malicious payloads by hijacking the way operating systems run programs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/007">.007</a> </td> <td> <a href="/techniques/T1574/007">Path Interception by PATH Environment Variable</a> </td> <td> <p>Monitor for modifications of PATH environment variable Registry keys such as <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path</code>. An adversary can add a new directory or list of directories before other locations where programs can be executed from.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/011">.011</a> </td> <td> <a href="/techniques/T1574/011">Services Registry Permissions Weakness</a> </td> <td> <p>Monitor for modification of Registry keys and values used by services such as HKLM\SYSTEM\CurrentControlSet\Services that may allow adversaries to launch their own code when a service starts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/012">.012</a> </td> <td> <a href="/techniques/T1574/012">COR_PROFILER</a> </td> <td> <p>For detecting system and user scope abuse of the COR_PROFILER variable, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a> </td> <td> <p>Monitor Registry edits for modifications to services and startup programs that correspond to security tools.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/001">.001</a> </td> <td> <a href="/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p>Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/002">.002</a> </td> <td> <a href="/techniques/T1562/002">Disable Windows Event Logging</a> </td> <td> <p>Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021."data-reference="def_ev_win_event_logging"><sup><a href="https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p><p>Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. There are different ways to perform this attack.1. The first one is to create the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise).2. The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\start, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system.3. The third way is linked with the second. By default, the EventLog service cannot be stopped. If an attacker tries to stop the service, this one will restart immediately. Why ? Because to stop completely, this service must stop others, one in particular called netprofm (display name Network List Service). This service remains running until it is disabled. So Attacker must either disable EventLog and after to stop it or disable netprofm and after stop EventLog. Only stopping the service (even as admin) will not have an effect on the EventLog service because of the link with netprofm. Security EventLog 1100 will log the stop of the EventLog service (but also generates a lot of noise because it will generate a log everytime the system shutdown).4. The fourth way is to use auditpol.exe to modify the audit configuration and disable/modify important parameters that will lead to disable the creation of EventLog.5. The last one is to modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\file (or other kind of log) to modify the path where the EventLog are stocked. Importantly, with this technique, the EventViewer will use the value of the Registry Key "file" to know where to find the Log. Thus, using the EventViewer will always show the current event logs, but the old one will be stocked in another evtx. Also, the path must be in a folder that the Eventlog process has access (like it doesn’t work if attacker set up the new path in the Desktop). Attacker can also decrease the maxsize value of the Log to force the system to rewrite on the older EventLog (but the minimum cannot be less than 1028 KB). As the Registry key is modified, Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. All of these attacks required administrative right. Attacks number three, four and five do not require a system reboot to be effective immediately.</p><p>Analytic 1 - Disable Windows Event Logging</p><p><code>(source="<em>WinEventLog:Security" EventCode IN (4657, 4719) OR source="</em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13") (ObjectName="<em>EventLog</em>") (ObjectValueName="Start" OR ObjectValueName="File" OR ObjectValueName="MaxSize")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/004">.004</a> </td> <td> <a href="/techniques/T1562/004">Disable or Modify System Firewall</a> </td> <td> <p>Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/006">.006</a> </td> <td> <a href="/techniques/T1562/006">Indicator Blocking</a> </td> <td> <p>To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: <code>HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME{PROVIDER_GUID}</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/009">.009</a> </td> <td> <a href="/techniques/T1562/009">Safe Mode Boot</a> </td> <td> <p>Monitor modifications to Registry data associated with enabling safe mode. For example, a service can be forced to start on safe mode boot by adding a <code>*</code> in front of the "Startup" value name: <code>HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{Path}"]</code> or by adding a key to <code>HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal</code>.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021."data-reference="BleepingComputer REvil 2021"><sup><a href="https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021."data-reference="Sophos Snatch Ransomware 2019"><sup><a href="https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/007">.007</a> </td> <td> <a href="/techniques/T1070/007">Clear Network Connection History and Configurations</a> </td> <td> <p>Monitor for changes to Registry keys (ex: <code>HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default</code>) and associated values that may be malicious attempts to conceal adversary network connection history.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/009">.009</a> </td> <td> <a href="/techniques/T1070/009">Clear Persistence</a> </td> <td> <p>Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts associated with persistence on a host system.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0872">T0872</a> </td> <td> <a href="/techniques/T0872">Indicator Removal on Host</a> </td> <td> <p>Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see <a href="/techniques/T1070">Indicator Removal</a> and applicable sub-techniques.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1490">T1490</a> </td> <td> <a href="/techniques/T1490">Inhibit System Recovery</a> </td> <td> <p>Monitor the registry for changes associated with system recovery features (ex: the creation of <code>HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage</code>).</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1056">T1056</a> </td> <td> <a href="/techniques/T1056">Input Capture</a> </td> <td> <p>Monitor for changes made to windows registry keys or values for unexpected modifications</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1056/001">.001</a> </td> <td> <a href="/techniques/T1056/001">Keylogging</a> </td> <td> <p>Monitor for changes made to windows registry keys or values for unexpected modifications</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.</p><p>Monitor for changes to Registry entries for network providers (e.g., <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order</code>) and correlate then investigate the DLL files these values reference.</p><p>Analytic 1 - Unauthorized modifications to Registry entries for password filters or network providers.</p><p><code> index=wineventlog| eval suspicious_activity=if((EventCode=4657 AND (RegistryKeyPath="HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages" OR RegistryKeyPath="HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order")) OR (EventCode=4663 AND AccessMask="0x2" AND (ObjectName="HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages" OR ObjectName="HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order")), "true", "false")</code></p><p>Analytic 2 - Unauthorized modification of windows Registry keys may modify authentication mechanism</p><p><code> sourcetype=WinEventLog:Security(EventCode=4657 OR EventCode=4663) | eval registry_path=mvindex(split(ObjectName,"\"), 0, mvcount(split(ObjectName,"\"))-1)| search registry_path IN ("HKLM\SYSTEM\CurrentControlSet\Control\Lsa", "HKLM\SYSTEM\CurrentControlSet\Services\WDigest\Parameters", "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/002">.002</a> </td> <td> <a href="/techniques/T1556/002">Password Filter DLL</a> </td> <td> <p>Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference.</p><p>Analytic 1 - Unauthorized modifications to Registry entries for password filters.</p><p><code> index=windows_logs sourcetype="WinEventLog:Security" (EventCode=4657 OR EventCode=4688)| search ( (TargetObject="<em>\SYSTEM\CurrentControlSet\Control\Lsa\" AND ValueName="Notification Packages") OR (TargetObject="</em>\SYSTEM\CurrentControlSet\Control\Lsa\" AND ValueName="Authentication Packages") OR (CommandLine="<em>reg.exe</em>" AND CommandLine="<em>add</em>" AND CommandLine="<em>Lsa</em>") )| eval Modification_Type=case( like(CommandLine, "%reg.exe% add%"), "Command Line Registry Edit", EventCode=4657, "Direct Registry Modification" )</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/008">.008</a> </td> <td> <a href="/techniques/T1556/008">Network Provider DLL</a> </td> <td> <p>Monitor for changes to Registry entries for network providers (e.g., <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order</code>) and correlate then investigate the DLL files these values reference.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1112">T1112</a> </td> <td> <a href="/techniques/T1112">Modify Registry</a> </td> <td> <p>Monitor for changes made to windows registry keys or values. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). <span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018."data-reference="Microsoft 4657 APR 2017"><sup><a href="https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span> Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.</p><p>Detection of modification of the registry key values of Notify, Userinit, and Shell located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. When a user logs on, the Registry key values of Notify, Userinit and Shell are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload.</p><p>Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.</p><p>Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify</p><p><code>source="<em>WinEventLog:Security" EventCode="4657" (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify") OR source="</em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" (TargetObject="<em>Userinit" OR TargetObject="</em>Shell" OR TargetObject="*Notify")</code></p><p>Analytic 2 - Modification of Default Startup Folder in the Registry Key 'Common Startup'</p><p><code>(source="<em>WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="</em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*Common Startup")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1111">T1111</a> </td> <td> <a href="/techniques/T1111">Multi-Factor Authentication Interception</a> </td> <td> <p>Monitor for changes to windows registry keys or values that may target multi-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources.</p><p>Analytic 1 - Unauthorized registry changes related to MFA settings.</p><p><code> index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13 | where match(RegistryKeyPath, "(?i)(MFA|2FA|MultiFactorAuth|SmartCard|Token|SecureID|OTP|OneTimePasscode)")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1137">T1137</a> </td> <td> <a href="/techniques/T1137">Office Application Startup</a> </td> <td> <p>Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019."data-reference="CrowdStrike Outlook Forms"><sup><a href="https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019."data-reference="Outlook Today Home Page"><sup><a href="https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/001">.001</a> </td> <td> <a href="/techniques/T1137/001">Office Template Macros</a> </td> <td> <p>Collect events related to Registry key modification for keys that could be used for Office-based persistence.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019."data-reference="CrowdStrike Outlook Forms"><sup><a href="https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019."data-reference="Outlook Today Home Page"><sup><a href="https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/002">.002</a> </td> <td> <a href="/techniques/T1137/002">Office Test</a> </td> <td> <p>Monitor for changes made to the Office Test Registry key. Collect events related to Registry key modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017."data-reference="Palo Alto Office Test Sofacy"><sup><a href="https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/006">.006</a> </td> <td> <a href="/techniques/T1137/006">Add-ins</a> </td> <td> <p>Audit the Registry entries relevant for enabling add-ins.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019."data-reference="GlobalDotName Jun 2019"><sup><a href="https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017."data-reference="MRWLabs Office Persistence Add-ins"><sup><a href="https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1003">T1003</a> </td> <td> <a href="/techniques/T1003/001">.001</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a> </td> <td> <p>Monitor for changes to Registry entries associated with credential access that is stored in the process memory of the LSASS. For example, the adversary can modify the SAM and SYSTEM files.</p><p>Analytics 1 - Unauthorized registry modifications related to LSASS.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("<em>\SYSTEM\CurrentControlSet\Services\</em>", "<em>\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "</em>\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos", "*\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0") | where ProcessName IN ("reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe", "rundll32.exe") </code></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1505">T1505</a> </td> <td> <a href="/techniques/T1505/005">.005</a> </td> <td> <a href="/techniques/T1505">Server Software Component</a>: <a href="/techniques/T1505/005">Terminal Services DLL</a> </td> <td> <p>Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1489">T1489</a> </td> <td> <a href="/techniques/T1489">Service Stop</a> </td> <td> <p>Monitor for changes made to windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0881">T0881</a> </td> <td> <a href="/techniques/T0881">Service Stop</a> </td> <td> <p>Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0856">T0856</a> </td> <td> <a href="/techniques/T0856">Spoof Reporting Message</a> </td> <td> <p>Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see <a href="/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1553">T1553</a> </td> <td> <a href="/techniques/T1553">Subvert Trust Controls</a> </td> <td> <p>Monitoring changes to the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under <code>HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</code> and </code>[HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\</code>. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017."data-reference="Tripwire AppUNBlocker"><sup><a href="https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span> Also consider enabling the Registry Global Object Access Auditing <span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018."data-reference="Microsoft Registry Auditing Aug 2016"><sup><a href="https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span> setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018."data-reference="Microsoft Audit Registry July 2012"><sup><a href="https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1553/003">.003</a> </td> <td> <a href="/techniques/T1553/003">SIP and Trust Provider Hijacking</a> </td> <td> <p>Enable the Registry Global Object Access Auditing <span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018."data-reference="Microsoft Registry Auditing Aug 2016"><sup><a href="https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span> setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018."data-reference="Microsoft Audit Registry July 2012"><sup><a href="https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span>* <code>HKLM\SOFTWARE\Microsoft\Cryptography\OID</code>* <code>HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</code>* <code>HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</code>* <code>HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</code></p><p><strong>Note:</strong> As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using <a href="/techniques/T1218/010">Regsvr32</a>.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018."data-reference="SpectorOps Subverting Trust Sept 2017"><sup><a href="https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p><p>Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018."data-reference="SpectorOps Subverting Trust Sept 2017"><sup><a href="https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1553/004">.004</a> </td> <td> <a href="/techniques/T1553/004">Install Root Certificate</a> </td> <td> <p>Monitoring changes to the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under <code>HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</code> and <code>HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\</code> or <code>HKCU\Policies\Microsoft\SystemCertificates\Root\Certificates\</code>. </p><p>There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017."data-reference="Tripwire AppUNBlocker"><sup><a href="https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span>* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1553/006">.006</a> </td> <td> <a href="/techniques/T1553/006">Code Signing Policy Modification</a> </td> <td> <p>Consider monitoring for modifications made to Registry keys associated with code signing policies, such as <code>HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing</code>. Modifications to the code signing policy of a system are likely to be rare.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1218">T1218</a> </td> <td> <a href="/techniques/T1218">System Binary Proxy Execution</a> </td> <td> <p>Monitor for changes made to Windows Registry keys and/or values that may forge credential materials that can be used to gain access to web applications or Internet services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/002">.002</a> </td> <td> <a href="/techniques/T1218/002">Control Panel</a> </td> <td> <p>Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace</code> and <code>HKEY_CLASSES_ROOT\CLSID{GUID}</code>. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. <span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018."data-reference="Microsoft Implementing CPL"><sup><a href="https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span>* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the <code>CPLs</code> and <code>Extended Properties</code> Registry keys of <code>HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel</code>. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically (<code> WinExec("c:\windows\system32\control.exe {Canonical_Name}", SW_NORMAL);</code>) or from a command line (<code>control.exe /name {Canonical_Name}</code>).<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018."data-reference="Microsoft Implementing CPL"><sup><a href="https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span>* Some Control Panel items are extensible via Shell extensions registered in <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder{name}\Shellex\PropertySheetHandlers</code> where {name} is the predefined name of the system item.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018."data-reference="Microsoft Implementing CPL"><sup><a href="https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1569">T1569</a> </td> <td> <a href="/techniques/T1569">System Services</a> </td> <td> <p>Monitor for changes made to windows registry keys and/or values that may abuse system services or daemons to execute commands or programs.</p><p>Analytic 1 - Malicious service modification</p><p><code>sourcetype= Sysmon EventCode=12| search registry_path="HKLM\SYSTEM\CurrentControlSet\Services\*" | where registry_action="modified" AND user NOT IN ("known_admins") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1569/002">.002</a> </td> <td> <a href="/techniques/T1569/002">Service Execution</a> </td> <td> <p>Monitor for changes made to windows registry keys and/or values that may abuse the Windows service control manager to execute malicious commands or payloads.</p><p>Analytic 1 - Registry changes related to service execution.</p><p><code> sourcetype=WinEventLog:Security OR sourcetype=Sysmon EventCode=13 OR EventCode=4657| search registry_path IN ("HKLM\SYSTEM\CurrentControlSet\Services<em>")| where registry_value != "</em>legitimate_software_registry*" // Filter out common services</code></p> </td> </tr> </tbody> </table> </div> </div> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" target="_blank"> Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://learn.microsoft.com/windows-hardware/drivers/install/overview-of-registry-trees-and-keys" target="_blank"> Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf" target="_blank"> Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://o365blog.com/post/deviceidentity/" target="_blank"> Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank"> Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/" target="_blank"> Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://ptylu.github.io/content/report/report.html?report=25" target="_blank"> Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/" target="_blank"> Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/" target="_blank"> Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746" target="_blank"> Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943" target="_blank"> Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/" target="_blank"> Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique" target="_blank"> Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" target="_blank"> Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="15.0"> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/" target="_blank"> Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/" target="_blank"> Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/" target="_blank"> Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/" target="_blank"> Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html" target="_blank"> Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://technet.microsoft.com/en-us/library/dn408187.aspx" target="_blank"> Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html" target="_blank"> Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com" target="_blank"> Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657" target="_blank"> Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)" target="_blank"> Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)" target="_blank"> Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" target="_blank"> Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx" target="_blank"> M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/filter/filter.js?1893"></script> <script src="/theme/scripts/navigation.js"></script> <script src="/theme/scripts/mobileview-datasources.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

CINXE.COM

Windows Registry, Data Source DS0024 | MITRE ATT&CK®