Event ID 14 — RegistryEvent (Key and Value Rename)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Collection Priority: Recommended (Palantir, others)
Task: Registry object renamed (rule: RegistryEvent)
Opcode: Info

Description

Registry key and value rename operations map to this event type.

Message #

Registry object renamed:
RuleName: %1
EventType: %2
UtcTime: %3
ProcessGuid: %4
ProcessId: %5
Image: %6
TargetObject: %7
NewName: %8
User: %9

Fields #

Name	Description
`EventType` UnicodeString → string	Registry event. Registry key and value renamed
`UtcTime` UnicodeString → string	Time in UTC when event was created
`ProcessGuid` GUID → GUID	Process GUID of the process that renamed a registry value and key
`ProcessId` UInt32 → PID	Process ID used by the OS to identify the process that renamed a registry value and key
`Image` UnicodeString → string	File path of the process that renamed a registry value and key
`TargetObject` UnicodeString → string	Complete path of the registry key
`NewName` UnicodeString → string	New name of the registry key
`RuleName` UnicodeString → string	—
`User` UnicodeString → string	—

Detection Patterns #

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

36 rules

Sigma

HybridConnectionManager Service Installation - Registry (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Windows Registry Trust Record Modification (source)

Antonlovesdnb, Trent Liffick (@tliffick)

Registry Tampering by Potentially Suspicious Processes (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

Show 26 more (29 total)

Creation of a Local Hidden User Account by Registry (source)

Christian Burkard (Nextron Systems)

Narrator's Feedback-Hub Persistence (source)

Dmitriy Lifanov, oscd.community

Registry Persistence Mechanisms in Recycle Bin (source)

frack113

WINEKEY Registry Modification (source)

omkar72

Security Support Provider (SSP) Added to LSA Configuration (source)

iwillkeepwatch

Atbroker Registry Change (source)

Mateusz Wydra, oscd.community

Suspicious Run Key from Download (source)

Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)

DLL Load via LSASS (source)

Florian Roth (Nextron Systems)

Path To Screensaver Binary Modified (source)

Bartlomiej Czyz @bczyz1, oscd.community

Sticky Key Like Backdoor Usage - Registry (source)

Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Wdigest CredGuard Registry Modification (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Registry Entries For Azorult Malware (source)

Trent Liffick

Potential Qakbot Registry Activity (source)

Hieu Tran

NetNTLM Downgrade Attack - Registry (source)

Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)

RedMimicry Winnti Playbook Registry Manipulation (source)

Alexander Rausch

Run Once Task Configuration in Registry (source)

Avneet Singh @v3t0_, oscd.community

CMSTP Execution Registry Event (source)

Nik Seetharaman

Windows Defender Threat Severity Default Action Modified (source)

Matt Anderson (Huntress)

Windows Credential Editor Registry (source)

Florian Roth (Nextron Systems)

Potential Credential Dumping Via LSASS SilentProcessExit Technique (source)

Florian Roth (Nextron Systems)

Esentutl Volume Shadow Copy Service Keys (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Suspicious Camera and Microphone Access (source)

Den Iuzvyk

New PortProxy Registry Entry Added (source)

Andreas Hunkeler (@Karneades)

Splunk

Sdclt UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

WSReset UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

Malicious InProcServer32 Modification (source)

Michael Haag, Splunk

Show 3 more (6 total)

Remcos client registry install entry (source)

Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk

Revil Registry Entry (source)

Steven Dick, Teoderick Contreras, Splunk

Windows Modify Registry to Add or Modify Firewall Rule (source)

Teoderick Contreras, Splunk

Kusto Query Language

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Defense Evasion: Modify Registry

Sysmon Event ID 13: RegistryEventOREvent ID 14: RegistryEvent

8 rules

Sigma

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Wdigest CredGuard Registry Modification (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Potential Qakbot Registry Activity (source)

Hieu Tran

Show 4 more (7 total)

NetNTLM Downgrade Attack - Registry (source)

Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)

RedMimicry Winnti Playbook Registry Manipulation (source)

Alexander Rausch

Run Once Task Configuration in Registry (source)

Avneet Singh @v3t0_, oscd.community

Registry Tampering by Potentially Suspicious Processes (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

Splunk

Windows Modify Registry to Add or Modify Firewall Rule (source)

Teoderick Contreras, Splunk

Uac Bypass

Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

5 rules

Sigma

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Splunk

Sdclt UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

WSReset UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

Kusto Query Language

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Delete Defender Scan ShellEx Context Menu Registry Key source medium: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
Windows Credential Guard Related Registry Value Deleted - Registry source high: Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted source medium: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Show 7 more (10 total)

Folder Removed From Exploit Guard ProtectedFolders List - Registry source high: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
Terminal Server Client Connection History Cleared - Registry source high: Detects the deletion of registry keys containing the MSTSC connection history
Removal Of AMSI Provider Registry Keys source high: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Removal of Potential COM Hijacking Registry Keys source medium: Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
RunMRU Registry Key Deletion - Registry source high: Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
Removal Of Index Value to Hide Schedule Task - Registry source medium: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
Removal Of SD Value to Hide Schedule Task - Registry source medium: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware

Event ID 14 — RegistryEvent (Key and Value Rename)

Description

Message #

Fields #

Detection Patterns #

Sigma

Splunk

Kusto Query Language

Defense Evasion: Modify Registry

Sigma

Splunk

Uac Bypass

Sigma

Splunk

Kusto Query Language

Detection Rules #

Sigma # view in reference

References #

Keyboard Shortcuts