# T1112 Modify Registry

-----------------------------------------------------------------------

## Technique Description

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.

## Technique Detection

Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.

Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Windows

### Adversary Required Permissions:

  * User

  * Administrator

  * SYSTEM

### Defenses Bypassed:

  * Host forensic analysis

### Data Sources:

  * **Process:** Process Creation

  * **Windows Registry:** Windows Registry Key Deletion

  * **Command:** Command Execution

  * **Process:** OS API Execution

  * **Windows Registry:** Windows Registry Key Modification

  * **Windows Registry:** Windows Registry Key Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has enabled Wdigest by changing the registry value from 0 to 1.(Citation: FoxIT Wocao December 2019)| 
| Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Windows Registry modifications to specify a DLL payload.(Citation: RedCanary Mockingbird May 2020)	| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has modified the Registry key <code>HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest</code> by setting the <code>UseLogonCredential</code> registry value to <code>1</code> in order to force credentials to be stored in clear text in memory.(Citation: CrowdStrike Grim Spider May 2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) used a malware variant called GOODLUCK to modify the registry in order to steal credentials.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has modified Registry settings for default file associations to enable all macros and for persistence.(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)| 
| Silence | [Silence](https://attack.mitre.org/groups/G0091) can create, delete, or modify a specified Registry key or value.(Citation: Group IB Silence Sept 2018)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) uses a tool called CLEANTOAD that has the capability to modify Registry keys.(Citation: FireEye APT38 Oct 2018)| 
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072) uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.(Citation: McAfee Honeybee)| 
| APT19 | [APT19](https://attack.mitre.org/groups/G0073) uses a Port 22 malware variant to modify several Registry keys.(Citation: Unit 42 C0d0so0 Jan 2016)| 
| Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under <code>HKCU\Software\Microsoft\Office\</code>.(Citation: Unit 42 Gorgon Group Aug 2018)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has deleted Registry keys during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor has modified the Windows Registry to store the backdoor's configuration. (Citation: ESET OceanLotus Mar 2019)	
| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has removed security settings for VBA macro execution by changing registry values <code>HKCU\Software\Microsoft\Office\&lt;version&gt;\&lt;product&gt;\Security\VBAWarnings</code> and <code>HKCU\Software\Microsoft\Office\&lt;version&gt;\&lt;product&gt;\Security\AccessVBOM</code>.(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)| 
| Patchwork | A [Patchwork](https://attack.mitre.org/groups/G0040) payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.(Citation: TrendMicro Patchwork Dec 2017)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has modified the Registry to perform multiple techniques through the use of [Reg](https://attack.mitre.org/software/S0075).(Citation: US-CERT TA18-074A)| 
| Threat Group-3390 | A [Threat Group-3390](https://attack.mitre.org/groups/G0027) tool has created new Registry keys under `HKEY_CURRENT_USER\Software\Classes\` and `HKLM\SYSTEM\CurrentControlSet\services`.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Trend Micro Iron Tiger April 2021)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used the Registry to store encrypted payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1112)

  * [Capec](https://capec.mitre.org/data/definitions/203.html)

  * [Microsoft Reg](https://technet.microsoft.com/en-us/library/cc732643.aspx), Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.

  * [Microsoft Reghide Nov 2006](https://docs.microsoft.com/sysinternals/downloads/reghide), Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.

  * [Trendmicro Poweliks Aug 2014](https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/), Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.

  * [Spectorops Hiding Reg Jul 2017](https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353), Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.

  * [Microsoft Remote](https://technet.microsoft.com/en-us/library/cc754820.aspx), Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.

  * [Microsoft 4657 Apr 2017](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657), Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.

  * [Microsoft Regdelnull July 2016](https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull), Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries may query the Windows Registry using common LOLBins in order to gather information about the system–such as configuration or installed software.
- Adversaries may query the Windows Registry using any tool that utilizes registry-related API calls.
- Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | 3 | |

#### Turla	
- Turla has used the Registry to store encrypted payloads.

#### APT28
- ADVSTORESHELL (Backdoor used by APT28) is capable of setting and deleting Registry values.
- LoJax (Rootkit used by APT28) has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk ’ to ‘autocheck autoche ’.

#### APT29	
- PolyglotDuke (downloader used by APT29) can write encrypted JSON configuration files to the Registry.
- RegDuke (.NET implant used by APT29) can store its encryption key in the Registry.

## Detection Blindspots

- Missing logs
- Undocumented LOLBins
- Modifications to the Registry are normal and occur throughout typical use of the Windows operating system.

## Analytical References

  * [Known/Observed LOL Bins](https://lolbas-project.github.io/) 
  * [Atomic Red Team (redcanary)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md)
  * [Audit Registry (microsoft)](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry)
  * [Sofacy Playbook Viewer (github)](https://pan-unit42.github.io/playbook_viewer/?pb=sofacy)
  * [Atomic Red Team T1112 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md)
  * [Security Log Encyclopedia (ultimatewindowssecurity)](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013)
  * [ESET Sednit Part1 2016 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf)
  * [Turla Powershell Usage (welivesecurity)](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
  * [Waterbug Espionage Governments](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/waterbug-espionage-governments)
  * [Uroburos 2014 (kasperskycontenthub)](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf)



-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Modifying the registry may also be seen with techniques such as Boot or Logon Autostart Execution (T1547) and Query Registry (T1012).
- Additional events that may be related [`Event_id : 1 and process.name : reg.exe or regedit.exe`, `Event_id : 4657`, `Event_id : 12 or 13 or 14`]


#### Analytic 1

  * **Information:** Process Start Events

  * **Source:** Windows eventID 4688, Sysmon eventID 1

  * **Tool:** Kibana

  * **Notes:**
    1. Process start events pertaining to registry-viewing tools should not be excessively common on a network. If you find many, look for common automation noise (wiki page on observed instances of noisy automation tools–e.g. tanium/sccm with suggestions about how to eliminate them) and eliminate them cautiously–you do not want to allow the adversary to hide in the exclusions.
    2. Legitimate uses of these tools will be performed by admins while they are working. Elimination of legitimate admin activity can be difficult; you can try to work with the MP to identify legitimate admin accounts and align those accounts with work schedules
    3. At this point, remaining instances should be investigated more thoroughly. Consider the following:
            - What is being queried?
            - Why would a legitimate admin query that information?
            - Why would an adversary want to collect the suggested information?
            - Has the subject user account performed both similar AND related tasks?
            - And do those tasks fit with the expected work functions of that user?
    4. Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.
    5. Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
    6. Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns and RegDelNull.


#### Analytic 2

  * **Information:** Detect registry-related API calls

  * **Source:** Windows Audits

  * **Tool:** Kibana

  * **Notes:** Proper analysis using this technique is impossible with currently available tools and GIVE UP NOW BEFORE YOU GO ANY FURTHER...

    1. This procedure requires  windows audit policy be configured on host systems to create EventID 4656 Events.
    2. Perform a search to collect 4656 events filtered to object_type:Key. If these events are enabled, there will be too many. Consider:
        - Locations
        - Frequency

#### Analytic 3

  * **Information:** Sofacy's (APT28) C# Zebrocy uses REG ADD to add a registry key for persistence [Query1]. JHUHUGIT (Malware from APT28) registers a windows shell script under this key to establish persistence [Query2].

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 
  
  * **Query1:** `TargetObject : HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon`
  * **Query2:** `TargetObject : HKCU\Environment\UserInitMprLogonScript`
  



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

