Registry-Modification

A privilege escalation attempt is detected through modification of the Windows directory (Windir) environment variable, a technique often combined with other vulnerabilities to elevate privileges by redirecting system processes.

An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.

This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.

This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.

Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.

Scripting engines such as WScript, CScript, and MSHTA are being used to make registry modifications, potentially for persistence or defense evasion.

Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.

The use of scripting engines like WScript and CScript to modify the Windows registry can indicate an attempt to bypass standard tools and evade defenses, potentially for persistence or other malicious activities.

Attackers modify the Windows Defender registry settings to disable the service or set the service to be started manually, evading defenses.

This analytic detects modifications to the Windows registry that disable the display of hidden files, a technique commonly used by malware to evade detection and conceal malicious activities.

This analytic detects modifications to the Windows registry, specifically targeting the 'DisableRegistryTools' key, which is a common tactic used by malware for persistence and defense evasion by preventing the removal of malicious entries.

An attacker attempts to disable Windows Defender by deleting its context menu entry from the registry, a tactic often used by Remote Access Trojans (RATs) to impair defenses and facilitate further malicious activities.

The Windows Downdate attack involves modifying specific registry keys to force a Windows downgrade, enabling exploitation of older, vulnerable versions, which this detection identifies through monitoring for the creation or modification of the pending.xml file in unusual locations.

Attackers modify the Windows registry to disable the Folder Options feature, preventing users from showing hidden files and file extensions, commonly used by malware to conceal malicious files and deceive users with fake file extensions.

Attackers modify Windows Registry keys associated with Windows Defender to disable real-time behavior monitoring, a common tactic used by malware to evade detection and persist on compromised systems.

An attacker modifies the Windows registry to disable Windows Defender Controlled Folder Access, a defense evasion technique that weakens protections against unauthorized access and ransomware.

Attackers disable Windows SmartScreen protection by modifying specific registry keys to evade detection and facilitate malware deployment.

Attackers modify the Windows registry to disable Task Manager, preventing users from terminating malicious processes and allowing persistence.

An attacker modifies the Windows EventLog ChannelAccess registry value to evade defenses by blocking security products from accessing event logs.

An attacker modifies the Windows registry to disable Windows Defender web content evaluation, potentially allowing malicious web content to bypass security checks and compromise the system.

The following analytic detects modifications to the Windows registry specifically targeting the 'WppTracingLevel' setting within Windows Defender, potentially impairing its diagnostic capabilities and allowing attackers to evade detection.

Attackers modify the Windows registry to disable SmartScreen prompt overrides, potentially allowing users to bypass security warnings and execute harmful content, leading to system compromise.

An attacker modifies the Windows registry to disable the Windows Defender Scan On Update feature, potentially evading detection and establishing persistence.

The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature, preventing timely malware definition updates and potentially leading to system compromise.

An attacker modifies the Windows Registry to disable Windows Defender protocol recognition, hindering its ability to detect and respond to malware, potentially leading to successful data exfiltration or system compromise.

An attacker modifies the Windows Defender MpEngine registry value to disable key features, potentially allowing malware to evade detection.

Attackers may disable Windows Defender logging by modifying specific registry keys to evade detection and conceal malicious activities.

Attackers modify the Windows registry to disable Windows Defender's infection reporting, preventing detailed threat information from reaching Microsoft and potentially allowing malware to evade detection.

Attackers may disable Windows Defender's ability to compute file hashes by modifying the EnableFileHashComputation registry value, impairing its malware detection capabilities.

An attacker modifies the Windows Registry to disable Windows Defender's Enhanced Notification feature, preventing users from receiving security alerts and potentially allowing malicious activities to go unnoticed, ultimately enabling persistence and evasion.

An attacker modifies the Windows Registry key 'DisableAntiSpyware' to disable Windows Defender, a technique commonly associated with Ryuk ransomware to evade defenses.

Attackers modify the Windows Registry to disable auditing for Windows Defender Application Guard, hindering security monitoring and enabling malicious activity to go unnoticed.

Attackers modify Windows Defender registry settings to disable antivirus and antispyware protections, evading detection and maintaining persistence.

This analytic detects registry modifications that disable the Control Panel on Windows systems by monitoring changes to the registry path '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel' with a value of '0x00000001', which is commonly used by malware to prevent users from accessing the Control Panel and hindering remediation efforts.

Attackers disable Windows application hotkeys by modifying specific registry entries to hinder incident response and evade detection.

Detection of processes modifying the Windows services registry key directly, potentially indicating stealthy persistence attempts via abnormal service creation or modification.

Adversaries may modify the Windows Security Support Provider (SSP) configuration in the registry to establish persistence or evade defenses.

A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.

An adversary may enable Remote Desktop Protocol (RDP) access by modifying the `fDenyTSConnections` registry key, potentially indicating lateral movement preparation or defense evasion.

Attackers modify the NullSessionPipe registry setting in Windows to enable anonymous access to named pipes, potentially facilitating lateral movement and unauthorized access to network resources.

Adversaries may modify the network logon provider registry to register a rogue network logon provider module for persistence and credential access by intercepting authentication credentials in clear text during user logon.

Adversaries may disable or tamper with Microsoft Defender features via registry modifications to evade detection and conceal malicious behavior on Windows systems.

Detection of DNS-over-HTTPS (DoH) being enabled via registry modifications on Windows systems, potentially indicating defense evasion and obfuscation of network activity by masking DNS queries.

This detection identifies delete events on CrowdStrike registry keys, which typically occur during agent uninstallation, so any unplanned or unexpected removal of these keys should be investigated for malicious activity such as defense evasion or exploits like CVE-2022-44721.

Attackers may disable Event Tracing for Windows (ETW) by modifying specific registry keys to evade detection and hinder security monitoring, potentially leading to further system compromise.

An attacker modifies the Windows registry to disable the Windows Defender Submit Samples Consent feature, preventing the submission of suspicious files for analysis, and potentially evading detection.

This detection identifies registry modifications associated with the Windows Downdate attack, specifically focusing on pending.xml file modifications outside standard locations, which could force a Windows downgrade for exploitation.

Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.

Attackers disable the Antimalware Scan Interface (AMSI) by modifying the Windows registry value 'AmsiEnable' to '0x00000000' to evade detection, commonly employed by ransomware, RATs, and APTs.

Attackers modify the Windows registry to disable the command prompt (cmd.exe), hindering incident response and potentially maintaining persistence.

The following analytic detects modification of the Windows registry to disable the Run application in the Start menu by monitoring changes to the registry path '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun' with a value of '0x00000001', potentially hindering system cleaning and aiding malware persistence.

Detection of Hypervisor-protected Code Integrity (HVCI) being disabled by modifying specific Windows registry keys, potentially allowing the execution of malicious kernel-mode code.

This analytic detects modifications to the Windows Registry to set Windows Defender SmartScreen level to 'Warn', which can reduce user suspicion and increase the risk of malware execution.

An attacker modifies the Windows Registry to disable Windows Defender Potentially Unwanted Application (PUA) protection, increasing the risk of malware installation and system compromise.

An attacker modifies the Windows registry to disable the Windows Defender Firewall and Network Protection settings, potentially weakening the system's security posture and increasing vulnerability to further attacks.

Attackers may modify the Windows registry to disable ETW logging for the .NET Framework, hindering endpoint detection and response capabilities.

The rule detects attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory, which could lead to credential dumping.

Attackers may modify the Windows registry to disable code signing policy, allowing the execution of unsigned or self-signed malicious code, thereby bypassing security controls and enabling defense evasion.