Modify Registry

October 2, 2024 ยท View on GitHub

ID E1112
Objective(s) Defense Evasion, Persistence
Related ATT&CK Techniques Modify Registry (T1112)
Version 2.3
Created 2 August 2022
Last Modified 28 April 2024

Modify Registry

Malware may make changes to the Windows Registry to hide execution or to persist on the system (note that ATT&CK does not extend this behavior to the Persistence objective). The Windows registry is a database that stores low-level settings for the operating system and for applications that opt to use the registry. Malware may create, delete, or modify registry keys and values to change the behavior of the system or certain applications. For instance, malware may modify registry keys to enable remote desktop connections, disable security features, or to automatically start the malware whenever the system boots. This technique is commonly used by various types of malware, including ransomware, trojans, and worms.

See ATT&CK: Modify Registry (T1112).

Use in Malware

NameDateMethodDescription
GoBotKR2019--GoBotKR can modify registry keys to disable Task Manager, Registry Editor and Command Prompt. [2]
Hupigon2013--The malware adds many entries to the registry. [3]
Gamut2014--The malware adds a registry key. [4]
Kovter2016--The malware modifies the registry during execution. [5]
Shamoon2012--Shamoon disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy. [6]
CHOPSTICK2015--CHOPSTICK may encrypt and store configuration data inside a registry key. [7]
Clipminer2011--Clipminer edits the registry. [8]

Detection

Tool: CAPEMappingAPIs
persistence_remotedesktopModify Registry (E1112)--
browser_helper_objectModify Registry (E1112)--
browser_securityModify Registry (E1112)--
disables_notificationcenterModify Registry (E1112)--
removes_networking_iconModify Registry (E1112)--
tampers_powershell_loggingModify Registry (E1112)--
disables_power_optionsModify Registry (E1112)--
disables_cpl_disableModify Registry (E1112)--
browser_startpageModify Registry (E1112)--
persistence_registry_scriptModify Registry (E1112)RegSetValueExA, RegSetValueExW, NtSetValueKey
hides_recycle_bin_iconModify Registry (E1112)--
disables_restore_default_stateModify Registry (E1112)--
disables_auto_app_terminationModify Registry (E1112)--
nemty_regkeysModify Registry (E1112)--
warzonerat_regkeysModify Registry (E1112)--
prevents_safebootModify Registry (E1112)--
disables_smartscreenModify Registry (E1112)--
disables_context_menusModify Registry (E1112)--
reg_binaryModify Registry (E1112)RegCreateKeyExA, RegSetValueExA, RegCreateKeyExW, RegSetValueExW
stealth_hidden_extensionModify Registry (E1112)--
disables_run_commandModify Registry (E1112)--
persistence_ifeoModify Registry (E1112)--
persistence_silent_process_exitModify Registry (E1112)--
disables_backupsModify Registry (E1112)--
creates_largekeyModify Registry (E1112)RegSetValueExA, RegSetValueExW, NtSetValueKey
removes_username_startmenuModify Registry (E1112)--
stealth_hiddenregModify Registry (E1112)--
disables_startmenu_searchModify Registry (E1112)--
stealth_hide_notificationsModify Registry (E1112)--
disables_app_launchModify Registry (E1112)--
neshta_regkeysModify Registry (E1112)RegSetValueExA, RegSetValueExW
creates_nullvalueModify Registry (E1112)NtCreateKey, NtSetValueKey
geodo_banking_trojanModify Registry (E1112)--
persistence_autorunModify Registry (E1112)NtSetValueKey, RegSetValueExA, RegSetValueExW, CreateServiceW, CreateServiceA
persistence_autorun_tasksModify Registry (E1112)NtSetValueKey, RegSetValueExA, RegSetValueExW, CreateServiceW, CreateServiceA
persistence_safebootModify Registry (E1112)--
modify_attachment_managerModify Registry (E1112)--
modify_certsModify Registry (E1112)--
modify_proxyModify Registry (E1112)--
disables_appv_virtualizationModify Registry (E1112)--
njrat_regkeysModify Registry (E1112)--
modify_uac_promptModify Registry (E1112)--
blackrat_registry_keysModify Registry (E1112)RegQueryValueExW, RegSetValueExW
rdptcp_keyModify Registry (E1112)--
disables_system_restoreModify Registry (E1112)--
disables_folder_optionsModify Registry (E1112)--
office_securityModify Registry (E1112)--
removes_security_maintenance_iconModify Registry (E1112)--
tampers_etwModify Registry (E1112)--
disables_event_loggingModify Registry (E1112)--
browser_addonModify Registry (E1112)--
removes_startmenu_defaultsModify Registry (E1112)--
disables_uacModify Registry (E1112)--
modify_security_center_warningsModify Registry (E1112)--
disables_werModify Registry (E1112)--
office_perfkeyModify Registry (E1112)--
modify_oem_informationModify Registry (E1112)--
limerat_regkeysModify Registry (E1112)--
disables_windows_defender_dismModify Registry (E1112)--
disables_windows_defender_loggingModify Registry (E1112)--
removes_windows_defender_contextmenuModify Registry (E1112)--
disables_browser_warnModify Registry (E1112)--
disables_windowsupdateModify Registry (E1112)--
removes_pinned_programsModify Registry (E1112)--
medusalocker_regkeysModify Registry (E1112)--
bypass_firewallModify Registry (E1112)--
remcos_regkeysModify Registry (E1112)--

References

[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking

[2] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/

[3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON

[4] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/

[5] https://labs.vipre.com/analysis-of-kovter-a-very-clever-piece-of-malware/#:~:text=Kovter%20copies%20the%20fileless%20persistence,written%20on%20to%20the%20filesystem.

[6] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/

[7] https://web.archive.org/web/20210307034415/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

[8] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking