detection.wiki

ATT&CK coverage › Technique

Modify Registry T1112

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

Events covered

9 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)
Sysmon14RegistryEvent (Key and Value Rename)
Security-Auditing4657A registry value was modified.
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4688A new process has been created.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Defender5007Product Name Configuration has changed.

Authoring guide

Patterns shared across the 149 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (22 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Details91eq 79, is_not_null 18, match 6, starts_with 4, ends_with 3, is_null 1"0x00000001", DWORD (0x00000001), DWORD (0x00000000), "0x00000000", 0x00000001
registry_path67eq 66, in 1"*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policie..., "*\\InProcServer32\\*", "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policie..., "*\\Control\\MiniNt\\*", "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explore...
TargetObject54ends_with 40, match 22, eq 4, starts_with 2SYSTEM\, \Software\Winternals\BGInfo\UserFields\, \URL, SOFTWARE\Policies\Microsoft\Windows Defender\UX..., Software\Microsoft\Windows\CurrentVersion\Policies\Explor...
Image24ends_with 22, starts_with 4, eq 4, match 3, is_null 1\reg.exe, \powershell.exe, \pwsh.exe, \regedit.exe, \OfficeClickToRun.exe
CommandLine20match 18, regex_match 4, ends_with 1\System\CurrentControlSet\Control\Lsa, /i , -e , .reg, add
registry_value_name14eq 8, in 6, regex_match 1"Debugger", "UseLogonCredential", "NoLogOff", "StartMenuLogOff", "DisableNotificationCenter"
OriginalFileName12eq 12reg.exe, pwsh.dll, REGEDIT.EXE, powershell.exe, REGINI.EXE
EventType7eq 7DeleteValue, deleted, modified, CreateKey, DeleteKey
ObjectName3match 3, ends_with 1\SOFTWARE\Microsoft\.NETFramework, \Environment, \Control\Lsa, \REGISTRY\MACHINE\SYSTEM, ControlSet
ObjectValueName3eq 3COMPlus_ETWEnabled, COMPlus_ETWFlags, ETWEnabled, NtlmMinClientSec, LmCompatibilityLevel
EventID3eq 35007, 12
NewName1eq 1HKLM\SYSTEM\CurrentControlSet\Control\MiniNt
IntegrityLevel1eq 1S-1-16-8192, Medium
ScriptBlockText1match 1CreateObject, Wscript.shell, .RegWrite
Description1eq 1Run Once Wrapper

Top indicator values (552 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Detailseq"0x00000001"2642
DetailseqDWORD (0x00000001)1737
DetailseqDWORD (0x00000000)1138
Imageends_with\reg.exe846
OriginalFileNameeqreg.exe729
Detailseq"0x00000000"727
Detailseq0x00000001712
DetailseqDWORD (0x00000002)49
CommandLineregex_match:[^ \\]44
Detailseq034
Detailseq(Empty)324
CommandLinematchadd316
CommandLinematch add 311
Imageends_with\powershell.exe3143
Imageends_with\pwsh.exe3140
OriginalFileNameeqpwsh.dll372
registry_patheq"*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*"33
Detailseq"Binary Data"33
TargetObjectends_withSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel22
TargetObjectends_withSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun22

Common exclusions (3 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
Imagein"*\\program files*"1
Imagein"*\\windows\\*"1
process_nameeq"Outlook.exe"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 77 rules

Splunk 72 rules