Event ID 4657 — A registry value was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Registry
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

A registry value was modified.

Message #

A registry value was modified.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Name: %5
	Object Value Name: %6
	Handle ID: %7
	Operation Type: %8

Process Information:
	Process ID: %13
	Process Name: %14

Change Information:
	Old Value Type: %9
	Old Value: %10
	New Value Type: %11
	New Value: %12

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID.
`SubjectUserName` UnicodeString	[Subject] Account Name.
`SubjectDomainName` UnicodeString	[Subject] Account Domain.
`SubjectLogonId` HexInt64	[Subject] Logon ID.
`ObjectName` UnicodeString	[Object] Object Name.
`ObjectValueName` UnicodeString	[Object] Object Value Name.
`HandleId` Pointer	[Object] Handle ID.
`OperationType` UnicodeString	[Object] Operation Type. Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`OldValueType` UnicodeString	[Change Information] Old Value Type. Known values `%%1872` REG_NONE `%%1873` REG_SZ `%%1874` REG_EXPAND_SZ `%%1875` REG_BINARY `%%1876` REG_DWORD `%%1877` REG_DWORD_BIG_ENDIAN `%%1878` REG_LINK `%%1879` REG_MULTI_SZ (New lines are replaced with . A is replaced with **) `%%1880` REG_RESOURCE_LIST `%%1881` REG_FULL_RESOURCE_DESCRIPTOR `%%1882` REG_RESOURCE_REQUIREMENTS_LIST `%%1883` REG_QWORD
`OldValue` UnicodeString	[Change Information] Old Value.
`NewValueType` UnicodeString	[Change Information] New Value Type. Known values `%%1872` REG_NONE `%%1873` REG_SZ `%%1874` REG_EXPAND_SZ `%%1875` REG_BINARY `%%1876` REG_DWORD `%%1877` REG_DWORD_BIG_ENDIAN `%%1878` REG_LINK `%%1879` REG_MULTI_SZ (New lines are replaced with . A is replaced with **) `%%1880` REG_RESOURCE_LIST `%%1881` REG_FULL_RESOURCE_DESCRIPTOR `%%1882` REG_RESOURCE_REQUIREMENTS_LIST `%%1883` REG_QWORD
`NewValue` UnicodeString	[Change Information] New Value.
`ProcessId` Pointer	[Process Information] Process ID.
`ProcessName` UnicodeString	[Process Information] Process Name.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4657,
    "version": 0,
    "level": 0,
    "task": 12801,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T01:45:45.086232+00:00",
    "event_record_id": 292511,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 12116
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "ObjectName": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E",
    "ObjectValueName": "Blob",
    "HandleId": "0x1994",
    "OperationType": "%%1905",
    "OldValueType": "%%1875",
    "OldValue": "%%1800",
    "NewValueType": "%%1875",
    "NewValue": "%%1800",
    "ProcessId": "0x328",
    "ProcessName": "C:\\Windows\\System32\\lsass.exe"
  },
  "message": ""
}

Detection Patterns #

Uac Bypass

Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

5 rules

Sigma

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Splunk

Sdclt UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

WSReset UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

Kusto Query Language

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Privilege Escalation: Bypass User Account Control

Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4688: A new process has been created.

1 rule

Kusto Query Language

Potential Fodhelper UAC Bypass (source)

Defense Evasion: Modify Registry

Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.

1 rule

Sigma

Sysmon Channel Reference Deletion (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Defense Evasion: Impair Defenses

Defender-DeviceRegistryEvents Event ID 9005003: Registry value setORSecurity-Auditing Event ID 4657: A registry value was modified.ORSysmon Event ID 13: RegistryEvent

1 rule

Kusto Query Language

MosaicLoader (source)

Collection: Audio Capture

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.

1 rule

Sigma

Processes Accessing the Microphone and Webcam (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Community Notes #

Requires AuditRegistry/SetValue SACL.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

ETW Logging Disabled In .NET Processes - Registry source high: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
NetNTLM Downgrade Attack source high: Detects NetNTLM downgrade attack
Windows Defender Exclusion List Modified source medium: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

Kusto Query Language # view in reference

Scheduled Task Hide source high: 'This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler. The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive as well as audit policy for registry auditing to be turned on. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/'

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4657
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4657 — A registry value was modified.

Description

Message #

Fields #

Example Event #

Detection Patterns #

Uac Bypass

Sigma

Splunk

Kusto Query Language

Privilege Escalation: Bypass User Account Control

Kusto Query Language

Defense Evasion: Modify Registry

Sigma

Defense Evasion: Impair Defenses

Kusto Query Language

Collection: Audio Capture

Sigma

Community Notes #

Detection Rules #

Sigma # view in reference

Kusto Query Language # view in reference

Related Events #

References #