T1112 - Modify Registry
Tattiche:
Persistence Defense Evasion
Persistence Defense Evasion
Piattaforme:
Windows
Windows
Rilevamento:
Not specified
Not specified
Description:
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.
The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)
Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.
The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)
Usato da Attori (20)
APT19
Nation-state
Nation-state
Turla
Nation-state
Nation-state
OilRig
Nation-state
Nation-state
Gamaredon Group
Unknown
Unknown
APT32
Nation-state
Nation-state
FIN8
Unknown
Unknown
Kimsuky
Nation-state
Nation-state
INDRIK SPIDER
Unknown
Unknown
TA505
Unknown
Unknown
WIZARD SPIDER
Nation-state
Nation-state
APT41
Nation-state
Nation-state
Earth Lusca
Unknown
Unknown
APT42
Nation-state
Nation-state
Volt Typhoon
Unknown
Unknown
LuminousMoth
Unknown
Unknown
Medusa Group
Unknown
Unknown
Dragonfly
Unknown
Unknown
Aquatic Panda
Unknown
Unknown
Ember Bear
Unknown
Unknown
Silence
Unknown
Unknown
Malware (20)
TrickBot other
RCSession other
SynAck other
Exaramel for Windows other
Amadey other
Orz other
Stuxnet other
KEYMARBLE other
Ursnif other
ThreatNeedle other
Zeus Panda other
Prestige other
Bankshot other
PLAINTEE other
NETWIRE other
TinyTurla other
BOOKWORM other
HyperStack other
GreyEnergy other
Crimson other
Metadata
| MITRE ID: | T1112 |
| STIX ID: | attack-pattern--57340c81-c025-... |
| Piattaforme: | Windows |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |