Windows Registry

Monitor for the SAM registry key dump being created to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised /techniques/T1078 in-use by adversaries may help as well.

Monitor for the LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets being accessed

Monitor for unexpected windows registry key being accessed that may search the Registry on compromised systems for insecurely stored credentials.

Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

Monitor Registry key additions to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.^[2] Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Monitor for the creation/modification to Registry keys associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript.

Monitor for new constructed windows registry keys that may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.

Monitor Registry creation for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a * in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{{Path}}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.^[4][5]

Collect events related to Registry key creation for keys that could be used for Office-based persistence.^[6][7]

Monitor for the creation of the Office Test Registry key. Collect events related to Registry key creation for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.^[8]

Audit the Registry entries relevant for enabling add-ins.^[9][10]

Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: ^[11] 18F7C1FCC3090203FD5BAA2F861A754976C8DD25 245C97DF7514E7CF2DF8BE72AE957B9E04741E85 3B1EFD3A66EA28B16697394703A72CA340A05BD5 7F88CD7223F3C813818C994614A89C99FA3B5247 8F43288AD272F3103B6FB1428485EA3014C0BCFE A43489159A520F0D93D032CCAF37E7FE20A8B419 BE36A4562FB2EE05DBB3D32323ADF445084ED656 CDD4EEAE6000AC7F40C3802C171E30148030C072

Monitor for deletion of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Microsoft\AMSI\Providers.

Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example: The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.^[12] The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.^[13][14]Analysts should monitor these Registry settings for unauthorized changes.

Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. ^[2]

Monitor the Registry for changes to the LSA Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. ^{[15] [16]}

Monitor for changes made to windows registry keys and/or values modifying W32Time information in the Registry.

Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. ^[2]

Monitor the Registry for changes to the SSP Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. ^{[15] [16]}

Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism ^[2]

Monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver as they pertain to print processor installations.

Monitor Registry key modifications to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.^[2] Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.^[2]

Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. User file association preferences are stored under [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys.

Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry.

Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. ^[17]

Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.

Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc.

Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc.

Monitor for changes to windows registry keys and/or values that may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.

Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc.

There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: Reg) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\Software\Classes\CLSID\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.^[18] Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated.

Monitor for changes made to windows registry key or values for unexpected modifications of the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList key.

Monitor for changes made to windows registry keys and/or values that may use a hidden file system to conceal malicious activity from users and security tools.

Monitor for changes made to Windows Registry keys and/or values that may be the result of using a virtual instance to avoid detection. For example, if virtualization software is installed by the adversary the Registry may provide detection opportunities.

Monitor for modifications of PATH environment variable Registry keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path. An adversary can add a new directory or list of directories before other locations where programs can be executed from.

Monitor for modification of Registry keys and values used by services such as HKLM\SYSTEM\CurrentControlSet\Services that may allow adversaries to launch their own code when a service starts.

For detecting system and user scope abuse of the COR_PROFILER variable, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools.

Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender.

Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.

To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME{{PROVIDER_GUID}}

Monitor modifications to Registry data associated with enabling safe mode. For example, a service can be forced to start on safe mode boot by adding a * in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{{Path}}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.^[4][5]

Monitor for changes made to windows registry keys or values for unexpected modifications

Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference.

Collect events related to Registry key modification for keys that could be used for Office-based persistence.^[6][7]

Monitor for changes made to the Office Test Registry key. Collect events related to Registry key modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.^[8]

Audit the Registry entries relevant for enabling add-ins.^[9][10]

Enable the Registry Global Object Access Auditing ^[20] setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:^[21] HKLM\SOFTWARE\Microsoft\Cryptography\OID HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust

Note: As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using Regsvr32.^[22]

Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.^[22]

Monitoring changes to the Windows Registry may reveal malicious root certificate installation. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: ^[11] 18F7C1FCC3090203FD5BAA2F861A754976C8DD25 245C97DF7514E7CF2DF8BE72AE957B9E04741E85 3B1EFD3A66EA28B16697394703A72CA340A05BD5 7F88CD7223F3C813818C994614A89C99FA3B5247 8F43288AD272F3103B6FB1428485EA3014C0BCFE A43489159A520F0D93D032CCAF37E7FE20A8B419 BE36A4562FB2EE05DBB3D32323ADF445084ED656 CDD4EEAE6000AC7F40C3802C171E30148030C072

Consider monitoring for modifications made to Registry keys associated with code signing policies, such as HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing. Modifications to the code signing policy of a system are likely to be rare.

Inventory Control Panel items to locate unregistered and potentially malicious files present on systems: Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace and HKEY_CLASSES_ROOT\CLSID{{GUID}}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. ^[23] CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:\windows\system32\control.exe {{Canonical_Name}}", SW_NORMAL);) or from a command line (control.exe /name {{Canonical_Name}}).^[23]* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder{{name}}\Shellex\PropertySheetHandlers where {{name}} is the predefined name of the system item.^[23]

Monitor for changes made to windows registry keys and/or values that may abuse the Windows service control manager to execute malicious commands or payloads.