Skip to content
Threat Feed
high advisory

Windows Registry Modification to Disable Registry Tools

This analytic detects modifications to the Windows registry, specifically targeting the 'DisableRegistryTools' key, which is a common tactic used by malware for persistence and defense evasion by preventing the removal of malicious entries.

This detection focuses on identifying attempts to disable the Windows Registry Editor (regedit) through modifications to the DisableRegistryTools value in the Windows registry. Attackers, particularly malware such as Remote Access Trojans (RATs) and trojans, often employ this technique to prevent defenders from removing malicious registry entries. By setting the DisableRegistryTools value to 0x00000001, the Registry Editor is effectively disabled, hindering incident response and allowing malware to maintain persistence on the compromised system. This activity is a strong indicator of malicious intent and requires immediate investigation. The analytic leverages data from Endpoint.Registry data model from Splunk.

Attack Chain

  1. The attacker gains initial access to the system through an exploit, social engineering, or other means.
  2. The attacker executes a malicious binary or script on the compromised system.
  3. The malicious script attempts to modify the Windows registry.
  4. The script targets the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
  5. The script sets the DisableRegistryTools value to 0x00000001.
  6. The Registry Editor is disabled, preventing the user from modifying registry entries.
  7. The malware establishes persistence and continues malicious activities.

Impact

A successful attack that disables registry tools can significantly impede incident response efforts. By preventing administrators and security tools from accessing and modifying the registry, attackers can maintain persistence, evade detection, and hinder remediation efforts. This can lead to prolonged infections, data breaches, and further compromise of the affected system.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect suspicious modifications to the DisableRegistryTools registry key.
  • Enable Sysmon Event ID 13 (Registry events) with the official Sysmon TA to capture the necessary registry modification events.
  • Investigate any alerts triggered by the Sigma rule, focusing on the process associated with the registry modification.
  • Review and harden registry permissions to prevent unauthorized modifications.

Detection coverage 2

Detect Registry Modification to Disable Registry Tools

high

Detects modification of the Windows registry to disable registry tools by setting the DisableRegistryTools value to 0x00000001.

sigma tactics: defense_evasion, persistence techniques: T1112, T1547.001 sources: registry_set, windows

Process Modifying DisableRegistryTools Value

medium

Detects processes that are modifying the DisableRegistryTools registry value.

sigma tactics: defense_evasion, persistence techniques: T1112 sources: registry_set, windows

Detection queries are kept inside the platform. Get full rules →