Description
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.
The Registry may be modified in order to hide configuration information or malicious payloads via Obfuscated Files or Information.(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to impair defenses, such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.
Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)
Platforms
Mitigations (1)
Restrict Registry PermissionsM1024
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
Threat Groups (29)
| ID | Group | Context |
|---|---|---|
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has modified Registry values to store payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Sym... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) uses a tool called CLEANTOAD that has the capability to modify Registry keys.(Citation: FireEye APT38 O... |
| G0040 | Patchwork | A [Patchwork](https://attack.mitre.org/groups/G0040) payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent ... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has modified registry keys to prepare for ransomware execution and to disable common administra... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has modified Registry keys to elevate privileges, maintain persistence and allow remote access.(... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) can create, delete, or modify a specified Registry key or value.(Citation: Group IB Silence Sept 2018... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used malware to disable Windows Defender through modification of the Registry.(Citation: Korean FSI... |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) uses a Port 22 malware variant to modify several Registry keys.(Citation: Unit 42 C0d0so0 Jan 2016) |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) performed Registry modifications to escalate privileges and disable security tools.(Citation: Picus... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has installed tools such as [Sagerunex](https://attack.mitre.org/software/S1210) by writing the... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has removed security settings for VBA macro execution by changing registry values <code>HKCU\... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has modified the Registry key <code>HKLM\System\CurrentControlSet\Control\SecurityProviders\WDi... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor has modified the Windows Registry to store the backdoor's configuration. (Citation: ESET Oce... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) modified the victim registry to enable the `RestrictedAdmin` mode feature, allowing for pass th... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) modified the registry using the command <code>reg add “HKEY_CURRENT_USER\Environment” /v UserInit... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Windows Registry modifications to specify a DLL payload.(Citation: RedCanary Mockin... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used reg.exe to modify system configuration.(Citation: Symantec Crambus OCT 2023)(Citation: Trend ... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) modifies registry values for anti-forensics and defense evasion purposes.(Citation: Cadet Blizzard... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used `netsh` to create a PortProxy Registry modification on a compromised server running th... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has modified the Registry to perform multiple techniques through the use of [Reg](https://attack.mi... |
Associated Software (139)
| ID | Name | Type | Context |
|---|---|---|---|
| S0674 | CharmPower | Malware | [CharmPower](https://attack.mitre.org/software/S0674) can remove persistence-related artifacts from the Registry.(Citation: Check Point APT35 CharmPow... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has a module to create, delete, or modify Registry keys.(Citation: Eset PlugX Korplug Mustang Panda M... |
| S0596 | ShadowPad | Malware | [ShadowPad](https://attack.mitre.org/software/S0596) can modify the Registry to store and maintain a configuration block and virtual file system.(Cita... |
| S0457 | Netwalker | Malware | [Netwalker](https://attack.mitre.org/software/S0457) can add the following registry entry: <code>HKEY_CURRENT_USER\SOFTWARE\{8 random characters}</cod... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) has the ability to modify the Registry key <code>HKCU\Software\ApplicationContainer\Appsw64</code> to... |
| S0240 | ROKRAT | Malware | [ROKRAT](https://attack.mitre.org/software/S0240) can modify the `HKEY_CURRENT_USER\Software\Microsoft\Office\` registry key so it can bypass the VB o... |
| S0376 | HOPLIGHT | Malware | [HOPLIGHT](https://attack.mitre.org/software/S0376) has modified Managed Object Format (MOF) files within the Registry to run specific commands and cr... |
| S0261 | Catchamas | Malware | [Catchamas](https://attack.mitre.org/software/S0261) creates three Registry keys to establish persistence by adding a [Windows Service](https://attack... |
| S0032 | gh0st RAT | Malware | [gh0st RAT](https://attack.mitre.org/software/S0032) has altered the InstallTime subkey.(Citation: Gh0stRAT ATT March 2019) |
| S0242 | SynAck | Malware | [SynAck](https://attack.mitre.org/software/S0242) can manipulate Registry keys.(Citation: SecureList SynAck Doppelgänging May 2018) |
| S0533 | SLOTHFULMEDIA | Malware | [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) can add, modify, and/or delete registry keys. It has changed the proxy configuration of a vic... |
| S0608 | Conficker | Malware | [Conficker](https://attack.mitre.org/software/S0608) adds keys to the Registry at <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services</code> an... |
| S1033 | DCSrv | Malware | [DCSrv](https://attack.mitre.org/software/S1033) has created Registry keys for persistence.(Citation: Checkpoint MosesStaff Nov 2021) |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) had commands that allow an attacker to write or delete registry keys, and was observed stopping se... |
| S0569 | Explosive | Malware | [Explosive](https://attack.mitre.org/software/S0569) has a function to write itself to Registry values.(Citation: CheckPoint Volatile Cedar March 2015... |
| S0518 | PolyglotDuke | Malware | [PolyglotDuke](https://attack.mitre.org/software/S0518) can write encrypted JSON configuration files to the Registry.(Citation: ESET Dukes October 201... |
| S0012 | PoisonIvy | Malware | [PoisonIvy](https://attack.mitre.org/software/S0012) creates a Registry subkey that registers a new system device.(Citation: Symantec Darkmoon Aug 200... |
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) has added and deleted keys from the Registry.(Citation: MalwareBytes LazyScripter Feb 2021) |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to di... |
| S0397 | LoJax | Malware | [LoJax](https://attack.mitre.org/software/S0397) has modified the Registry key <code>‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Mana... |
References
- CISA. (2018, March 16). Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved March 24, 2025.
- CISA. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved March 24, 2025.
- Javier Yuste and Sergio Pastrana. (2021). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved March 24, 2025.
- Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
- Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
- Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.
- Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.
- Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.
- Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.
- Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
Frequently Asked Questions
What is T1112 (Modify Registry)?
T1112 is a MITRE ATT&CK technique named 'Modify Registry'. It belongs to the Defense Impairment, Persistence tactic(s). Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. Access to specific areas of the Registry depends on...
How can T1112 be detected?
Detection of T1112 (Modify Registry) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1112?
There are 1 documented mitigations for T1112. Key mitigations include: Restrict Registry Permissions.
Which threat groups use T1112?
Known threat groups using T1112 include: Turla, APT38, Patchwork, Indrik Spider, Medusa Group, Silence, TA505, APT19.