īlue Mockingbird has used Windows Registry modifications to specify a DLL payload. īitPaymer can set values in the Registry to help in execution. īisonal has deleted Registry keys to clean up its prior activity.
īankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj. īADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\List. īACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system. Īvaddon modifies several registry keys for persistence and UAC bypass. Īttor's dispatcher can modify the Run registry key. ĪPT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials. ĪPT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys. ĪPT32's backdoor has modified the Windows Registry to store the backdoor's configuration. ĪPT19 uses a Port 22 malware variant to modify several Registry keys. Īgent Tesla can achieve persistence by modifying Registry key entries. ĪDVSTORESHELL is capable of setting and deleting Registry values.
Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.ĪADInternals can modify registry keys as part of setting a new pass-through authentication agent. It requires the remote Registry service to be running on the target system. The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.Īccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access.