Modify Registry (T1112)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Modify Registry

Associated Tactics

  • Defense Evasion

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015. Microsoft Reg
Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015. Microsoft Remote
Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018. Microsoft 4657 APR 2017
Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018. SpectorOps Hiding Reg Jul 2017
Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018. Microsoft Reghide NOV 2006
Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018. Microsoft RegDelNull July 2016
Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018. TrendMicro POWELIKS AUG 2014