detection.wiki

Modify Registry T1112

Tactics: Defense Impairment, Persistence

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

Events covered

20 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4660An object was deleted.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4674An operation was attempted on a privileged object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4697A service was installed in the system.
Security-AuditingEvent ID 4698A scheduled task was created.
Defender-DeviceRegistryEventsRegistryKeyDeletedRegistry key deleted
Defender-DeviceRegistryEventsRegistryValueSetRegistry value set
Defender-DeviceRegistryEventsRegistryValueDeletedRegistry value deleted
Defender-DeviceRegistryEventsRegistryKeyRenamedRegistry key renamed
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-DefenderEvent ID 5007Product Name Configuration has changed.
Service-Control-ManagerEvent ID 7045A service was installed in the system.

Authoring guide

Patterns shared across the 254 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (49 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Details135eq 103, is_not_null 26, contains 11, starts_with 6, ends_with 5, length_compare 4, wildcard 3, in 2, is_null 20x00000001, DWORD (0x00000001), 0x00000000, 0, DWORD (0x00000000)
TargetObject100ends_with 50, contains 34, wildcard 20, eq 7, regex_match 5, starts_with 3, in 1, match 1\imagepath, \path, \software\google\chrome\dnsoverhttpsmode, \software\policies\microsoft\edge\builtindnsclientenabled, \software\winternals\bginfo\userfields\
registry_path68contains 33, ends_with 33, eq 1, in 1\\software\\microsoft\\windows\\currentversion\\policies\..., \\inprocserver32\\, *\\Software\\Microsoft\\Office\\*\\Outlook\\Today, *\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\*, *\\Tencent\\QQPCMgr\\*
registry_value_name43eq 36, in 6, ne 1, regex_match 1ImagePath, Debugger, URL, UseLogonCredential, AccessVBOM
event.type36eq 33, in 3change, creation, start
Image32ends_with 26, contains 6, eq 6, starts_with 4, is_not_null 3, is_null 1, regex_match 1\reg.exe, \powershell.exe, \pwsh.exe, :\program files (x86)\microsoft office\, :\program files\common files\microsoft shared\clicktorun\
CommandLine29contains 24, regex_match 7, ends_with 2 add , -a , -c , -e , /f
EventID29eq 28, in 14688, 1, 4104, 13, 4103
OriginalFileName15eq 15reg.exe, powershell.exe, pwsh.dll, regedit.exe, regini.exe
EventType14eq 7, ne 5, in 2deletion, modified, DeleteValue, deleted, CreateKey
process_name11eq 5, match 2, ends_with 1, in 1, is_not_null 1, wildcard 1(?i)\x5cregini\.exe, cmd.exe, \system32\wbem\wmiprvse.exe, configurationwizard*.exe, dxdiag.exe
Type8eq 8
ObjectName4contains 3, ends_with 1, starts_with 1\REGISTRY\MACHINE\SAM\SAM\DOMAINS\Account, \REGISTRY\MACHINE\SAM\SAM\DOMAINS\Builtin, \REGISTRY\MACHINE\SECURITY\Cache, \SOFTWARE\Microsoft\.NETFramework, \control\lsa
ObjectValueName3eq 3COMPlus_ETWEnabled, COMPlus_ETWFlags, ETWEnabled, Enabled, LmCompatibilityLevel
ServiceName2eq 2BTOBTO, SC Scheduled Scan, UpdatMachine

Top indicator values (1087 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Detailseq
0x00000001
4063
Detailseq
DWORD (0x00000001)
2240
Detailseq
0x00000000
1743
Detailseq
DWORD (0x00000000)
1338
Detailseq
0
1112
Detailseq
1
813
Detailseq
Binary Data
55
Detailseq
DWORD (0x00000002)
511
Detailseq
(Empty)
32
Detailseq
0x00000002
34
event.typeeq
change
3177
EventIDeq
4688
10313
EventIDeq
1
8237
EventIDeq
4104
6268
EventIDeq
4103
4105
EventIDeq
4657
417
EventIDeq
13
322
Imageends_with
\reg.exe
858
Imageends_with
\officeclicktorun.exe
3
OriginalFileNameeq
reg.exe
842
OriginalFileNameeq
powershell.exe
4120
EventTypene
deletion
511
CommandLinecontains
add
414
CommandLinecontains
.reg
34
CommandLinecontains
add
334
CommandLinecontains
new-itemproperty
37
CommandLinecontains
set-itemproperty
37
CommandLineregex_match
:[^ \\]
42
Detailslength_compare
0
44
Detailslength_compare
>
44

Exclusions (318 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
user.ideq
S-1-5-18
7
Imagewildcard
?:\windows\system32\svchost.exe
6
Imagewildcard
?:\windows\system32\msiexec.exe
4
Imagewildcard
\device\harddiskvolume*\windows\system32\svchost.exe
4
Imagewildcard
?:\program files (x86)\*.exe
3
Imagewildcard
?:\program files\*.exe
3
Detailseq
(Empty)
3
Detailseq
Binary Data
2
Imageends_with
\officeclicktorun.exe
3
Imageeq
?:\windows\system32\svchost.exe
3
CommandLinecontains
-a
2
CommandLinecontains
-c
2
CommandLinecontains
-e
2
CommandLineregex_match
:[^ \\]
2
Imagecontains
:\program files (x86)\microsoft office\
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 96 rules

Elastic 44 rules

Splunk 105 rules

Kusto 1 rule

YARA-L 8 rules