Modify Registry T1112

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

Events covered

20 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 251 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (44 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Details129eq 103, is_not_null 18, contains 11, starts_with 6, ends_with 5, length_compare 4, wildcard 3, in 2, is_null 20x00000001, DWORD (0x00000001), 0x00000000, 0, DWORD (0x00000000)
TargetObject99ends_with 50, contains 33, wildcard 20, eq 7, regex_match 5, starts_with 3, in 1, match 1\imagepath, \path, \software\google\chrome\dnsoverhttpsmode, \software\policies\microsoft\edge\builtindnsclientenabled, \software\winternals\bginfo\userfields\
registry_path69contains 34, ends_with 33, eq 1, in 1\\software\\microsoft\\windows\\currentversion\\policies\..., \\inprocserver32\\, *\\Software\\Microsoft\\Office\\*\\Outlook\\Today, *\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\*, *\\Tencent\\QQPCMgr\\*
registry_value_name43eq 36, in 6, ne 1, regex_match 1ImagePath, Debugger, URL, UseLogonCredential, AccessVBOM
event.type35eq 32, in 3change, creation, start
CommandLine29contains 24, regex_match 7, ends_with 2 add , -a , -c , -e , /f
EventID29eq 28, in 14688, 1, 4104, 13, 4103
Image29ends_with 26, contains 6, eq 6, starts_with 4, is_null 1, regex_match 1\reg.exe, \powershell.exe, \pwsh.exe, :\program files (x86)\microsoft office\, :\program files\common files\microsoft shared\clicktorun\
OriginalFileName15eq 15reg.exe, powershell.exe, pwsh.dll, regedit.exe, regini.exe
EventType14eq 7, ne 5, in 2deletion, modified, DeleteValue, deleted, CreateKey
process_name9eq 4, match 2, ends_with 1, in 1, wildcard 1(?i)\x5cregini\.exe, cmd.exe, \system32\wbem\wmiprvse.exe, configurationwizard*.exe, dxdiag.exe
Type8eq 8
ObjectName4contains 3, ends_with 1, starts_with 1\REGISTRY\MACHINE\SAM\SAM\DOMAINS\Account, \REGISTRY\MACHINE\SAM\SAM\DOMAINS\Builtin, \REGISTRY\MACHINE\SECURITY\Cache, \SOFTWARE\Microsoft\.NETFramework, \control\lsa
ObjectValueName3eq 3COMPlus_ETWEnabled, COMPlus_ETWFlags, ETWEnabled, Enabled, LmCompatibilityLevel
ServiceName2eq 2BTOBTO, SC Scheduled Scan, UpdatMachine

Top indicator values (1070 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Detailseq
0x00000001
4063
Detailseq
DWORD (0x00000001)
2242
Detailseq
0x00000000
1743
Detailseq
DWORD (0x00000000)
1340
Detailseq
0
1112
Detailseq
1
812
Detailseq
Binary Data
58
Detailseq
DWORD (0x00000002)
511
Detailseq
(Empty)
324
Detailseq
0x00000002
34
event.typeeq
change
3146
EventIDeq
4688
10312
EventIDeq
1
8232
EventIDeq
4104
6268
EventIDeq
4103
4105
EventIDeq
4657
417
EventIDeq
13
322
Imageends_with
\reg.exe
860
Imageends_with
\officeclicktorun.exe
311
OriginalFileNameeq
reg.exe
842
OriginalFileNameeq
powershell.exe
4121
EventTypene
deletion
55
CommandLinecontains
add
415
CommandLinecontains
.reg
34
CommandLinecontains
add
336
CommandLinecontains
new-itemproperty
37
CommandLinecontains
set-itemproperty
37
CommandLineregex_match
:[^ \\]
44
Detailslength_compare
0
44
Detailslength_compare
>
44

Exclusions (318 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
user.ideq
S-1-5-18
7
Imagewildcard
?:\windows\system32\svchost.exe
6
Imagewildcard
?:\windows\system32\msiexec.exe
4
Imagewildcard
\device\harddiskvolume*\windows\system32\svchost.exe
4
Imagewildcard
?:\program files (x86)\*.exe
3
Imagewildcard
?:\program files\*.exe
3
Detailseq
(Empty)
3
Detailseq
Binary Data
2
Imageends_with
\officeclicktorun.exe
3
Imageeq
?:\windows\system32\svchost.exe
3
CommandLinecontains
-a
2
CommandLinecontains
-c
2
CommandLinecontains
-e
2
CommandLineregex_match
:[^ \\]
2
Imagecontains
:\program files (x86)\microsoft office\
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 95 rules

Elastic 43 rules

Splunk 104 rules

Kusto 1 rule

YARA-L 8 rules