MITRE ATT&CK and Windows registry key

By John Gates

January 8th, 2023

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive knowledge base of tactics, techniques and procedures that adversaries use to conduct cyber-attacks. The MITRE ATT&CK framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

What is Windows registry?

The Windows Registry is a database that stores configuration settings for the Microsoft Windows operating system and for applications that opt to use the registry. It is organized in a hierarchical tree-like structure, with keys at the top level representing different categories of settings. These keys, also known as hives, include:

HKEY_LOCAL_MACHINE (HKLM) – contains settings that apply to the entire system and all users.
HKEY_CURRENT_USER (HKCU) – contains settings that apply only to the currently logged-in user.
HKEY_USERS (HKU) – contains settings for all users on the system.
HKEY_CURRENT_CONFIG (HKCC) – contains information about the current hardware profile.

Each key can contain subkeys, and each subkey can contain further subkeys, forming a hierarchy of keys and values. A key is identified by its full path, which includes the names of all the keys in the hierarchy leading to it. For example, the full path of a key called “Software” within the HKEY_LOCAL_MACHINE hive would be “HKEY_LOCAL_MACHINE\Software”. Each key can have one or more values, which are the actual data stored in the registry. Values can be of different types, such as strings, numbers, or binary data, and are identified by a name. The name and value of a key is used by the operating system or an application to access and configure the corresponding settings.

It is not recommended to edit the registry unless you know what you are doing, as a wrong modification can cause serious problems for the system.

How can Window registry keys be used by attackers?

Windows registry keys can be used by attackers to maintain persistence on a system and gain access to sensitive information. These keys can be mapped to certain techniques in the MITRE ATT&CK framework to understand how they may be used in an attack.

T1060 – Registry Run Keys / Startup Folder: This technique involves an attacker modifying the registry keys related to system startup and services to execute malicious code when the system starts up. An attacker may use this technique to maintain persistence on a system, even after a reboot. Examples of registry keys that can be used for this technique include:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

T1546 – Bootkit: Bootkits are a type of malware that is designed to infect the boot process of a system, in order to maintain persistence and evade detection. An attacker may use this technique by modifying
the bootloader or boot configuration data. examples of registry keys that can be used for this technique include:

- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\root#system
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services

T1547 – Application Shimming: An attacker may use this technique to alter the behavior of legitimate applications by modifying their configuration or injecting malicious code into their runtime environment. Examples of registry keys that can be used for this technique include:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

T1548.001 – Misconfigured Security Feature: User Account Control Bypass: This technique an attacker can use this vulnerability to bypass UAC and gain elevated permissions. Examples of registry keys that can be used for this technique include:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Here are a few examples, and there are many other registry keys and locations that can be used by attackers in an attack. It’s important to be aware of these keys and monitor them for any unusual activity. If any suspicious modifications have been made, it’s crucial to document and investigate them, as well as to take appropriate action such as rolling back or removing the changes.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

MITRE ATT&CK and Windows registry key

What is Windows registry?

How can Window registry keys be used by attackers?

Subscribe to Email Updates

You might be interested

Experience a personalized demo