Technique on mitre.org

T1112: Modify Registry

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_impact: PT-CR-502: Stop_Important_Service_Registry: Detection of attempts to stop an important service. The list of services is in the table list Significant_Services. remote_work: PT-CR-435: Windows_Firewall_Enable_Local_RDP: Remote access to the system via RDP was enabled mitre_attck_cred_access: PT-CR-297: Abusing_CredSSP: The CredSSP settings are modified to use less secure user authentication algorithms mitre_attck_cred_access: PT-CR-771: LSASS_Dump_Via_SilentProcessExit: Possible creation of an lsass.exe process memory dump using SilentProcessExit mitre_attck_cred_access: PT-CR-566: LSA_SSP_Change: The values of the registry keys that contain paths of Security Support Provider (SSP) libraries are changed mitre_attck_cred_access: PT-CR-2077: Netlogon_Activated: A user changed the registry setting that allows vulnerable connections via the Netlogon secure channel for non-Windows devices mitre_attck_cred_access: PT-CR-1769: Subrule_PPLmedic_DllLoad: PPLmedic injected a DDL file into a registry mitre_attck_lateral_movement: PT-CR-1372: Remote_SSP_Dump: The use of a script from a modified Impacket toolkit is detected. This allows to remotely dump the lsass process memory. mitre_attck_lateral_movement: PT-CR-785: Modify_And_Start_Remote_Service: An attempt to use code execution or lateral movement by changing a system service startup command is detected mitre_attck_lateral_movement: PT-CR-1752: Service_From_Remote_File_Creation: A service was created from a network directory mitre_attck_lateral_movement: PT-CR-788: Shadow_Key_Creation: Creation of the Shadow registry key to establish a shadow RDP connection is detected mitre_attck_lateral_movement: PT-CR-956: Disable_Smartcard: Smart Card is disabled in the registry mssql_database: PT-CR-426: MSSQL_Write_Registry_Value: An attempt to write a registry key value from a database hacking_tools: PT-CR-757: Internal_Monologue_Attack: A NetNTLM downgrade attack using Internal Monologue is detected hacking_tools: PT-CR-1838: NimExec_Activity: The activity of the NimExec tool used to remotely execute commands is detected mitre_attck_defense_evasion: PT-CR-2558: NTLM_Downgrade: Registry keys responsible for the version of the NTLM authentication protocol were modified. This may indicate an NTLM Downgrade attack in which an attacker downgrades the protocol version to weaken the protection of the data being transmitted. mitre_attck_defense_evasion: PT-CR-643: Hide_Account_From_Logon_Screen: A username is hidden from the welcome screen mitre_attck_defense_evasion: PT-CR-563: Disable_Restricted_Admin_Mode: A process changed the value of a registry key to disable Restricted Admin mode mitre_attck_defense_evasion: PT-CR-193: ControlPanel_AWL_Bypass: An attempt to bypass application-start restrictions by using control.exe (a built-in Microsoft Windows utility used to execute Control Panel items) mitre_attck_defense_evasion: PT-CR-454: Dnscmd_AWL_Bypass: An attempt to bypass application-start restrictions by using the built-in Microsoft Windows utility dnscmd.exe (a command-line interface for managing DNS servers) mitre_attck_defense_evasion: PT-CR-1360: Suspicious_Registry_Value: Windows Registry abuse. This is often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, data collection, and other malicious activity. mitre_attck_defense_evasion: PT-CR-940: SharpEventPersist_Usage: Starting the SharpEventPersist utility to gain persistence in a system is detected mitre_attck_defense_evasion: PT-CR-312: Disable_LSA_Protection: LSA protection is disabled mitre_attck_defense_evasion: PT-CR-1856: DNS_Over_HTTPS_Enable: Attackers can enable DNS over HTTPS for a browser or Windows to hide Internet traffic or data leakage mitre_attck_defense_evasion: PT-CR-562: Disable_Credential_Guard: Credential Guard is disabled in the registry mitre_attck_defense_evasion: PT-CR-773: LSASS_SilentProcessExit_Keys: Registry keys for an lsass.exe process memory dump were created using SilentProcessExit mitre_attck_defense_evasion: PT-CR-313: WDigest_Enable: WDigest authentication is enabled mitre_attck_defense_evasion: PT-CR-1208: EventLog_File_Substitute: The Windows Event Log file path is substituted to make the file unavailable mitre_attck_defense_evasion: PT-CR-2224: Safe_Mode_Boot: A user changed a system setting or registry key responsible for booting the system or starting a process, service, or driver in safe mode. This allows attackers to disable endpoint protection and avoid detection. mitre_attck_defense_evasion: PT-CR-2234: Office_Security_Params_Changed: A user changed a registry key that ensures the security of MS Office applications. Attackers can use MS Office macros to gain persistence in the system. mitre_attck_defense_evasion: PT-CR-1859: Disable_UAC_Remote_Restrictions: Attackers can disable UAC as part of remote connection control. This allows high-privilege users to connect to a remote host using an account from the local administrators group on this host. mitre_attck_defense_evasion: PT-CR-1210: MiniNT_Key_Created: Windows Logging Service is disabled by creating the MiniNT registry Key mitre_attck_defense_evasion: PT-CR-933: Malicious_Activity_From_Office_Documents: The following suspicious activity of office programs is detected: creating executables, changing registry keys, loading the DLL of an Internet Explorer COM object, creating threads in other processes' address space mitre_attck_defense_evasion: PT-CR-1368: Disable_Sysmon: Sysmon was updated or disabled mitre_attck_discovery: PT-CR-2235: Always_Install_Elevated_Enable: Attackers can change the registry key responsible for installing Windows Installer packages with the system privileges to escalate privileges mitre_attck_command_and_control: PT-CR-461: Port_Forwarding_Or_Tunneling: A potential attempt to forward a network port is detected mitre_attck_execution: PT-CR-777: Hidden_Scheduled_Task: A hidden scheduled task creation or a hidden modification of an existing scheduled task has been detected without being written to the Windows event log. Creating a task or modifying it can be done directly in the registry, without using the Windows Task Scheduler mitre_attck_execution: PT-CR-778: Hidden_Service_Create: Creation of a hidden service from the registry without using the CreateService function is detected mitre_attck_privilege_escalation: PT-CR-2461: UAC_Bypass_Via_Registry_Hijacking: A user escalated privileges using one of the system utilities, the manifests of which contain the "autoElevate" element that allows for the privilege escalation without a prompt from User Account Control (UAC). To obtain a local administrator token with a high integrity level, attackers create the "DelegateExecute" key in the registry and add the payload to the "(Default)" key of the same branch. Then they start a system utility that accesses the "(Default)" key and always runs with a high integrity level, which allows attackers to execute the added payload with the highest permission level. The following system utilities can be used for these purposes: eventvwr.exe, fodhelper.exe, ComputerDefaults.exe, slui.exe, and control.exe. mitre_attck_privilege_escalation: PT-CR-2460: Registry_Modification_For_UAC_Bypass: A registry change that can indicate an attempt to escalate privileges. To obtain a local administrator token with a high integrity level, attackers create the "DelegateExecute" key in the registry and add the payload to the "(Default)" key of the same branch. Then they start a system utility that accesses the "(Default)" key and always runs with a high integrity level, which allows attackers to execute the added payload with the highest permission level. mitre_attck_persistence: PT-CR-2633: Network_Provider_Modification: A new network provider was created or registered by modifying registry keys. This may indicate an attacker's attempt to gain persistence in the system using a new network provider DLL. mitre_attck_persistence: PT-CR-261: GlobalFlags_In_Image_File_Execution_Options: An attempt to modify the registry key "Image File Execution Options" to inject third-party software into the startup algorithm is detected mitre_attck_persistence: PT-CR-1345: Abusing_Windows_Telemetry_Persist: Persistence by changing TelemetryController component settings mitre_attck_persistence: PT-CR-666: Universal_Windows_Platform_Apps_Modify: A key is set for a UWP application mitre_attck_persistence: PT-CR-963: Perf_Key_Modify: The value of the Perf registry key was changed mitre_attck_persistence: PT-CR-521: Debugger_In_Image_File_Execution_Options: An attempt to inject third-party software into the startup algorithm using "Debugger" is detected mitre_attck_persistence: PT-CR-809: Hiding_Already_Existing_Task: A scheduled task is hidden mitre_attck_persistence: PT-CR-1348: RID_Hijacking_Persistence: Persistence by hijacking an account recipient ID mitre_attck_persistence: PT-CR-2668: Outlook_Form_Creation: A custom form was created in the Outlook client. This could be an attacker's attempt to escalate privileges or execute arbitrary code. mitre_attck_persistence: PT-CR-268: Windows_Accessibility_StickyKey_Modification: An attempt to modify registry keys that start accessibility applications is detected mitre_attck_persistence: PT-CR-1349: AppCert_DLLs_Persist: Persistence by changing AppCertDLLs component settings mitre_attck_persistence: PT-CR-2702: Outlook_Malicious_Actions: The most dangerous settings were changed in the Outlook client by editing registry keys. An attacker can change Outlook settings to execute arbitrary code, escalate privileges, or gain persistence in the system. mitre_attck_persistence: PT-CR-2594: Hidden_Account_Creation: A hidden account with administrator permissions was created using a new registry key with user information. The event was not recorded in the Windows event log. mitre_attck_persistence: PT-CR-2649: Outlook_Form_Exploitation: Outlook started a suspicious process after creating a custom form in the Outlook client. This may indicate an attacker's attempt to gain persistence in the system or execute arbitrary code. mitre_attck_persistence: PT-CR-667: Userinitmprlogonscript_Modify: A process changed a registry parameter value mitre_attck_persistence: PT-CR-265: COM_Object_Persistence: An attempt to modify Component Object Model references and Interop in the Microsoft Windows registry is detected mitre_attck_persistence: PT-CR-662: Command_Processor_Autorun_Modify: A process changed the value of a registry key parameter command-line interpreter (cmd.exe) mitre_attck_persistence: PT-CR-1346: Time_Providers_Persistence: Persistence by changing TimeProviders settings mitre_attck_persistence: PT-CR-267: Registry_Winlogon_Helper: Persistence by Winlogon component settings modifying mitre_attck_persistence: PT-CR-664: Default_File_Association_Modify: A process changed one of the registry hives that determine the default application to open files with a specific extension in the system mitre_attck_persistence: PT-CR-2616: Windows_Startup_Folder_Modification: The startup folder was changed for one or all users through registry key modification. An attacker can upload a malicious file to a new startup folder to gain persistence in the system or elevate their privileges. mitre_attck_persistence: PT-CR-1997: EventViewer_Registry_Modify: The registry key responsible for redirecting to help for the Event Viewer component has been changed. An attacker can put in it the path to the file that will be executed when getting help, to be persisted on the target system

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Remote access to the registry can be achieved via Windows API function RegConnectRegistry command line via reg.exe graphically via regedit.exe All of these behaviors call into the Windows API, which uses the NamedPipe WINREG over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function. Analytic 1 - Remote Registry `source="Zeek:" (dest_port="445" AND proto_info.pipe="WINREG") OR (proto_info.function="Create" OR proto_info.function="SetValue")`

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Deletion	Description	Monitor for unexpected deletion of windows registry keys to hide configuration information, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Creation	Description	Monitor for newly constructed registry keys or values to aid in persistence and execution. Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order and adversaries may execute their own malicious dll. Analytic 1 - Registry Edit with Creation of SafeDllSearchMode Key Set to 0 `((source="WinEventLog:Security" EventCode="4657")(ObjectValueName="SafeDllSearchMode" value="0")) OR ((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13") EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)")))`

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for changes made to windows registry keys or values. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Detection of modification of the registry key values of Notify, Userinit, and Shell located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. When a user logs on, the Registry key values of Notify, Userinit and Shell are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload. Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify `source="WinEventLog:Security" EventCode="4657" (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify") OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" (TargetObject="Userinit" OR TargetObject="Shell" OR TargetObject="Notify")` Analytic 2 - Modification of Default Startup Folder in the Registry Key 'Common Startup' `(source="WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="Common Startup")`

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls associated with concealing Registry keys, such as Reghide. Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns and RegDelNull . Other API calls relevant to Registry Modification include `RegOpenKeyExA`, `RegCreateKeyExA`, `RegDeleteKeyExA`, `RegDeleteValueExA`, `RegEnumKeyExA`, `RegEnumValueExA`, among others. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor processes and command-line arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. (i.e. reg.exe, regedit.exe). The analytic is oriented around detecting invocations of Reg where the parent executable is an instance of cmd.exe that wasn’t spawned by explorer.exe. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exewill typically be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be baselined so they can be tuned out accordingly. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ((CommandLine="reg" CommandLine="add" CommandLine="/d") OR ((CommandLine="Set-ItemProperty" OR CommandLine="New-ItemProperty") AND CommandLine="-value")) CommandLine="\Microsoft\Windows NT\CurrentVersion\Winlogon" (CommandLine="Userinit" OR CommandLine="Shell" OR CommandLine="Notify")` Analytic 2 - Modification of Default Startup Folder in the Registry Key 'Common Startup' `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (CommandLine="reg" AND CommandLine="add" AND CommandLine="/d") OR (CommandLine="Set-ItemProperty" AND CommandLine="-value") CommandLine="Common Startup"` Analytic 3 - Registry Edit with Creation of SafeDllSearchMode Key Set to 0 `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")((CommandLine="reg" CommandLine="add" CommandLine="/d") OR (CommandLine="Set-ItemProperty" CommandLine="-value")) (CommandLine="00000000" OR CommandLine="0") CommandLine="SafeDllSearchMode")`

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
DS0029	Network Traffic: Network Traffic Flow	Remote access to the registry can be achieved via Windows API function RegConnectRegistry command line via reg.exe graphically via regedit.exe All of these behaviors call into the Windows API, which uses the NamedPipe WINREG over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function. Analytic 1 - Remote Registry `source="Zeek:" (dest_port="445" AND proto_info.pipe="WINREG") OR (proto_info.function="Create" OR proto_info.function="SetValue")`
DS0024	Windows Registry: Windows Registry Key Deletion	Monitor for unexpected deletion of windows registry keys to hide configuration information, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
DS0024	Windows Registry: Windows Registry Key Creation	Monitor for newly constructed registry keys or values to aid in persistence and execution. Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order and adversaries may execute their own malicious dll. Analytic 1 - Registry Edit with Creation of SafeDllSearchMode Key Set to 0 `((source="WinEventLog:Security" EventCode="4657")(ObjectValueName="SafeDllSearchMode" value="0")) OR ((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13") EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)")))`
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for changes made to windows registry keys or values. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Detection of modification of the registry key values of Notify, Userinit, and Shell located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. When a user logs on, the Registry key values of Notify, Userinit and Shell are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload. Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify `source="WinEventLog:Security" EventCode="4657" (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify") OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" (TargetObject="Userinit" OR TargetObject="Shell" OR TargetObject="Notify")` Analytic 2 - Modification of Default Startup Folder in the Registry Key 'Common Startup' `(source="WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="Common Startup")`
DS0009	Process: OS API Execution	Monitor for API calls associated with concealing Registry keys, such as Reghide. Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns and RegDelNull . Other API calls relevant to Registry Modification include `RegOpenKeyExA`, `RegCreateKeyExA`, `RegDeleteKeyExA`, `RegDeleteValueExA`, `RegEnumKeyExA`, `RegEnumValueExA`, among others. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.
DS0009	Process: Process Creation	Monitor processes and command-line arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. (i.e. reg.exe, regedit.exe). The analytic is oriented around detecting invocations of Reg where the parent executable is an instance of cmd.exe that wasn’t spawned by explorer.exe. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exewill typically be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be baselined so they can be tuned out accordingly. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ((CommandLine="reg" CommandLine="add" CommandLine="/d") OR ((CommandLine="Set-ItemProperty" OR CommandLine="New-ItemProperty") AND CommandLine="-value")) CommandLine="\Microsoft\Windows NT\CurrentVersion\Winlogon" (CommandLine="Userinit" OR CommandLine="Shell" OR CommandLine="Notify")` Analytic 2 - Modification of Default Startup Folder in the Registry Key 'Common Startup' `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (CommandLine="reg" AND CommandLine="add" AND CommandLine="/d") OR (CommandLine="Set-ItemProperty" AND CommandLine="-value") CommandLine="Common Startup"` Analytic 3 - Registry Edit with Creation of SafeDllSearchMode Key Set to 0 `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")((CommandLine="reg" CommandLine="add" CommandLine="/d") OR (CommandLine="Set-ItemProperty" CommandLine="-value")) (CommandLine="00000000" OR CommandLine="0") CommandLine="SafeDllSearchMode")`

Mitigation

ID	M1024	Name	Restrict Registry Permissions	Description	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

ID	Name	Description
M1024	Restrict Registry Permissions	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.