MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive knowledge base of tactics, techniques and procedures that adversaries use to conduct cyber-attacks. The MITRE ATT&CK framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

 

What is Windows registry?

 

The Windows Registry is a database that stores configuration settings for the Microsoft Windows operating system and for applications that opt to use the registry. It is organized in a hierarchical tree-like structure, with keys at the top level representing different categories of settings. These keys, also known as hives, include:

  • HKEY_LOCAL_MACHINE (HKLM) – contains settings that apply to the entire system and all users.
  • HKEY_CURRENT_USER (HKCU) – contains settings that apply only to the currently logged-in user.
  • HKEY_USERS (HKU) – contains settings for all users on the system.
  • HKEY_CURRENT_CONFIG (HKCC) – contains information about the current hardware profile.

 

Each key can contain subkeys, and each subkey can contain further subkeys, forming a hierarchy of keys and values. A key is identified by its full path, which includes the names of all the keys in the hierarchy leading to it. For example, the full path of a key called “Software” within the HKEY_LOCAL_MACHINE hive would be “HKEY_LOCAL_MACHINE\Software”. Each key can have one or more values, which are the actual data stored in the registry. Values can be of different types, such as strings, numbers, or binary data, and are identified by a name. The name and value of a key is used by the operating system or an application to access and configure the corresponding settings.

 

It is not recommended to edit the registry unless you know what you are doing, as a wrong modification can cause serious problems for the system.

 

How can Window registry keys be used by attackers?

 

Windows registry keys can be used by attackers to maintain persistence on a system and gain access to sensitive information. These keys can be mapped to certain techniques in the MITRE ATT&CK framework to understand how they may be used in an attack.

 

  • T1060 – Registry Run Keys / Startup Folder: This technique involves an attacker modifying the registry keys related to system startup and services to execute malicious code when the system starts up. An attacker may use this technique to maintain persistence on a system, even after a reboot. Examples of registry keys that can be used for this technique include:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

 

  • T1546 – Bootkit: Bootkits are a type of malware that is designed to infect the boot process of a system, in order to maintain persistence and evade detection. An attacker may use this technique by modifying
  • the bootloader or boot configuration data. examples of registry keys that can be used for this technique include:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\root#system
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services

 

  • T1547 – Application Shimming: An attacker may use this technique to alter the behavior of legitimate applications by modifying their configuration or injecting malicious code into their runtime environment. Examples of registry keys that can be used for this technique include:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

 

  • T1548.001 – Misconfigured Security Feature: User Account Control Bypass: This technique an attacker can use this vulnerability to bypass UAC and gain elevated permissions. Examples of registry keys that can be used for this technique include:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

 

Here are a few examples, and there are many other registry keys and locations that can be used by attackers in an attack. It’s important to be aware of these keys and monitor them for any unusual activity. If any suspicious modifications have been made, it’s crucial to document and investigate them, as well as to take appropriate action such as rolling back or removing the changes.

 

CIS controls

You might be interested