| ID | E1112 |
| Objective(s) | Defense Evasion, Persistence |
| Related ATT&CK Techniques | Modify Registry (T1112) |
| Version | 2.3 |
| Created | 2 August 2022 |
| Last Modified | 28 April 2024 |
Malware may make changes to the Windows Registry to hide execution or to persist on the system (note that ATT&CK does not extend this behavior to the Persistence objective). The Windows registry is a database that stores low-level settings for the operating system and for applications that opt to use the registry. Malware may create, delete, or modify registry keys and values to change the behavior of the system or certain applications. For instance, malware may modify registry keys to enable remote desktop connections, disable security features, or to automatically start the malware whenever the system boots. This technique is commonly used by various types of malware, including ransomware, trojans, and worms.
See ATT&CK: Modify Registry (T1112).
| Name | Date | Method | Description |
|---|---|---|---|
| GoBotKR | 2019 | -- | GoBotKR can modify registry keys to disable Task Manager, Registry Editor and Command Prompt. [2] |
| Hupigon | 2013 | -- | The malware adds many entries to the registry. [3] |
| Gamut | 2014 | -- | The malware adds a registry key. [4] |
| Kovter | 2016 | -- | The malware modifies the registry during execution. [5] |
| Shamoon | 2012 | -- | Shamoon disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy. [6] |
| CHOPSTICK | 2015 | -- | CHOPSTICK may encrypt and store configuration data inside a registry key. [7] |
| Clipminer | 2011 | -- | Clipminer edits the registry. [8] |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| persistence_remotedesktop | Modify Registry (E1112) | -- |
| browser_helper_object | Modify Registry (E1112) | -- |
| browser_security | Modify Registry (E1112) | -- |
| disables_notificationcenter | Modify Registry (E1112) | -- |
| removes_networking_icon | Modify Registry (E1112) | -- |
| tampers_powershell_logging | Modify Registry (E1112) | -- |
| disables_power_options | Modify Registry (E1112) | -- |
| disables_cpl_disable | Modify Registry (E1112) | -- |
| browser_startpage | Modify Registry (E1112) | -- |
| persistence_registry_script | Modify Registry (E1112) | RegSetValueExA, RegSetValueExW, NtSetValueKey |
| hides_recycle_bin_icon | Modify Registry (E1112) | -- |
| disables_restore_default_state | Modify Registry (E1112) | -- |
| disables_auto_app_termination | Modify Registry (E1112) | -- |
| nemty_regkeys | Modify Registry (E1112) | -- |
| warzonerat_regkeys | Modify Registry (E1112) | -- |
| prevents_safeboot | Modify Registry (E1112) | -- |
| disables_smartscreen | Modify Registry (E1112) | -- |
| disables_context_menus | Modify Registry (E1112) | -- |
| reg_binary | Modify Registry (E1112) | RegCreateKeyExA, RegSetValueExA, RegCreateKeyExW, RegSetValueExW |
| stealth_hidden_extension | Modify Registry (E1112) | -- |
| disables_run_command | Modify Registry (E1112) | -- |
| persistence_ifeo | Modify Registry (E1112) | -- |
| persistence_silent_process_exit | Modify Registry (E1112) | -- |
| disables_backups | Modify Registry (E1112) | -- |
| creates_largekey | Modify Registry (E1112) | RegSetValueExA, RegSetValueExW, NtSetValueKey |
| removes_username_startmenu | Modify Registry (E1112) | -- |
| stealth_hiddenreg | Modify Registry (E1112) | -- |
| disables_startmenu_search | Modify Registry (E1112) | -- |
| stealth_hide_notifications | Modify Registry (E1112) | -- |
| disables_app_launch | Modify Registry (E1112) | -- |
| neshta_regkeys | Modify Registry (E1112) | RegSetValueExA, RegSetValueExW |
| creates_nullvalue | Modify Registry (E1112) | NtCreateKey, NtSetValueKey |
| geodo_banking_trojan | Modify Registry (E1112) | -- |
| persistence_autorun | Modify Registry (E1112) | NtSetValueKey, RegSetValueExA, RegSetValueExW, CreateServiceW, CreateServiceA |
| persistence_autorun_tasks | Modify Registry (E1112) | NtSetValueKey, RegSetValueExA, RegSetValueExW, CreateServiceW, CreateServiceA |
| persistence_safeboot | Modify Registry (E1112) | -- |
| modify_attachment_manager | Modify Registry (E1112) | -- |
| modify_certs | Modify Registry (E1112) | -- |
| modify_proxy | Modify Registry (E1112) | -- |
| disables_appv_virtualization | Modify Registry (E1112) | -- |
| njrat_regkeys | Modify Registry (E1112) | -- |
| modify_uac_prompt | Modify Registry (E1112) | -- |
| blackrat_registry_keys | Modify Registry (E1112) | RegQueryValueExW, RegSetValueExW |
| rdptcp_key | Modify Registry (E1112) | -- |
| disables_system_restore | Modify Registry (E1112) | -- |
| disables_folder_options | Modify Registry (E1112) | -- |
| office_security | Modify Registry (E1112) | -- |
| removes_security_maintenance_icon | Modify Registry (E1112) | -- |
| tampers_etw | Modify Registry (E1112) | -- |
| disables_event_logging | Modify Registry (E1112) | -- |
| browser_addon | Modify Registry (E1112) | -- |
| removes_startmenu_defaults | Modify Registry (E1112) | -- |
| disables_uac | Modify Registry (E1112) | -- |
| modify_security_center_warnings | Modify Registry (E1112) | -- |
| disables_wer | Modify Registry (E1112) | -- |
| office_perfkey | Modify Registry (E1112) | -- |
| modify_oem_information | Modify Registry (E1112) | -- |
| limerat_regkeys | Modify Registry (E1112) | -- |
| disables_windows_defender_dism | Modify Registry (E1112) | -- |
| disables_windows_defender_logging | Modify Registry (E1112) | -- |
| removes_windows_defender_contextmenu | Modify Registry (E1112) | -- |
| disables_browser_warn | Modify Registry (E1112) | -- |
| disables_windowsupdate | Modify Registry (E1112) | -- |
| removes_pinned_programs | Modify Registry (E1112) | -- |
| medusalocker_regkeys | Modify Registry (E1112) | -- |
| bypass_firewall | Modify Registry (E1112) | -- |
| remcos_regkeys | Modify Registry (E1112) | -- |
[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
[2] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON
[4] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/
[5] https://labs.vipre.com/analysis-of-kovter-a-very-clever-piece-of-malware/#:~:text=Kovter%20copies%20the%20fileless%20persistence,written%20on%20to%20the%20filesystem.
[6] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[7] https://web.archive.org/web/20210307034415/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[8] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking