Windows Registry

A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations^[1]

ID: DS0024

ⓘ

Platform: Windows

ⓘ

Collection Layer: Host

Version: 1.0

Created: 20 October 2021

Last Modified: 20 October 2021

Data Components

Windows Registry: Windows Registry Key Access

Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)

Windows Registry: Windows Registry Key Access

Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)

Domain	ID		Name
Enterprise	T1003		OS Credential Dumping
		.002	Security Account Manager
		.004	LSA Secrets
Enterprise	T1012		Query Registry
Enterprise	T1614	.001	System Location Discovery: System Language Discovery
Enterprise	T1552		Unsecured Credentials
		.002	Credentials in Registry

Windows Registry: Windows Registry Key Creation

Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)

Windows Registry: Windows Registry Key Creation

Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)

Domain	ID		Name
Enterprise	T1547		Boot or Logon Autostart Execution
		.001	Registry Run Keys / Startup Folder
		.014	Active Setup
Enterprise	T1037		Boot or Logon Initialization Scripts
		.001	Logon Script (Windows)
Enterprise	T1176		Browser Extensions
Enterprise	T1543		Create or Modify System Process
		.003	Windows Service
Enterprise	T1562	.002	Impair Defenses: Disable Windows Event Logging
		.009	Impair Defenses: Safe Mode Boot
Enterprise	T1112		Modify Registry
Enterprise	T1137		Office Application Startup
		.001	Office Template Macros
		.002	Office Test
		.006	Add-ins
Enterprise	T1553		Subvert Trust Controls
		.004	Install Root Certificate

Windows Registry: Windows Registry Key Deletion

Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)

Windows Registry: Windows Registry Key Deletion

Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)

Domain	ID		Name
Enterprise	T1562		Impair Defenses
		.001	Disable or Modify Tools
Enterprise	T1070		Indicator Removal on Host
Enterprise	T1112		Modify Registry

Windows Registry: Windows Registry Key Modification

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Windows Registry: Windows Registry Key Modification

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Domain	ID		Name
Enterprise	T1548		Abuse Elevation Control Mechanism
		.002	Bypass User Account Control
Enterprise	T1557		Adversary-in-the-Middle
		.001	LLMNR/NBT-NS Poisoning and SMB Relay
Enterprise	T1547		Boot or Logon Autostart Execution
		.001	Registry Run Keys / Startup Folder
		.002	Authentication Package
		.003	Time Providers
		.004	Winlogon Helper DLL
		.005	Security Support Provider
		.010	Port Monitors
		.012	Print Processors
		.014	Active Setup
Enterprise	T1543		Create or Modify System Process
		.003	Windows Service
Enterprise	T1546		Event Triggered Execution
		.001	Change Default File Association
		.002	Screensaver
		.007	Netsh Helper DLL
		.008	Accessibility Features
		.009	AppCert DLLs
		.010	AppInit DLLs
		.011	Application Shimming
		.012	Image File Execution Options Injection
		.015	Component Object Model Hijacking
Enterprise	T1564		Hide Artifacts
		.002	Hidden Users
		.005	Hidden File System
		.006	Run Virtual Instance
Enterprise	T1574		Hijack Execution Flow
		.011	Services Registry Permissions Weakness
		.012	COR_PROFILER
Enterprise	T1562		Impair Defenses
		.001	Disable or Modify Tools
		.004	Disable or Modify System Firewall
		.006	Indicator Blocking
		.009	Safe Mode Boot
Enterprise	T1070		Indicator Removal on Host
Enterprise	T1490		Inhibit System Recovery
Enterprise	T1056		Input Capture
		.001	Keylogging
Enterprise	T1556		Modify Authentication Process
		.002	Password Filter DLL
Enterprise	T1112		Modify Registry
Enterprise	T1137		Office Application Startup
		.001	Office Template Macros
		.002	Office Test
		.006	Add-ins
Enterprise	T1489		Service Stop
Enterprise	T1218		Signed Binary Proxy Execution
		.002	Control Panel
Enterprise	T1553		Subvert Trust Controls
		.003	SIP and Trust Provider Hijacking
		.004	Install Root Certificate
		.006	Code Signing Policy Modification
Enterprise	T1569		System Services
		.002	Service Execution
Enterprise	T1111		Two-Factor Authentication Interception

References

Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.