Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Registry modification is associated with a persistent, planned attack rather than a random, opportunistic attack. If the attacker is able to remotely modify the registry, there are known vulnerabilities that can be exploited. A successful exploit can enable the remote attacker to launch additional attacks.
The system might change the risk score for this detection.
Kill Chain
Risk Score
56
Every Windows device has a registry, which is a built-in hierarchical database that contains configuration data in the form of key-value pairs. This configuration data controls a number of vital processes such as scripts that run at startup, initialization of security tools, and event logging. To change key values remotely, the attacker needs to have administrator privileges and the Remote Registry service needs to be running on the target device. Then, the attacker sends a remote procedure call (RPC) with commands to modify values of a specified key. For example, the attacker can replace the value for the Userinit key, which specifies scripts that run during system initiation. The new value includes the original string, but adds a path to malicious code. An attacker that can modify registry keys can launch additional attacks that disable security tools, run arbitrary code, and erase malicious activity from event logs.
