Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Registry modification is associated with a persistent, planned attack rather than a random, opportunistic attack. If the attacker can remotely modify the registry, they can launch additional attacks, disable security tools, run arbitrary code, or delete event logs.
Kill Chain
Risk Score
56
Every Windows device has a registry, which is a built-in hierarchical database that contains configuration data in the form of key-value pairs. This configuration data controls a number of critical processes, such as scripts that run at startup, initialization of security tools, and event logging. To change certain key values remotely, the attacker needs administrator privileges and access to the Remote Registry service on the target device. The attacker sends a Microsoft remote procedure call (MS-RPC) with commands to modify values of a specified key value. For example, the attacker can replace the value for the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit key, which specifies scripts that run during system initiation. The new value includes the original string, but adds a path to malicious code.
Prevent unauthorized users from accessing the Windows registry by limiting the number of users with local administrator privileges
Restrict registry key from being accessed over a network connection
