MITRE ATT&CK Technique
Description
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API. The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019) The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication. Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:23.587Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may interact with the Windows Registry as part of '
'a variety of other techniques to aid in defense evasion, '
'persistence, and execution.\n'
'\n'
'Access to specific areas of the Registry depends on account '
'permissions, with some keys requiring administrator-level '
'access. The built-in Windows command-line utility '
'[Reg](https://attack.mitre.org/software/S0075) may be used '
'for local or remote Registry modification.(Citation: '
'Microsoft Reg) Other tools, such as remote access tools, may '
'also contain functionality to interact with the Registry '
'through the Windows API.\n'
'\n'
'The Registry may be modified in order to hide configuration '
'information or malicious payloads via [Obfuscated Files or '
'Information](https://attack.mitre.org/techniques/T1027).(Citation: '
'Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware '
'2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA '
'Russian Gov Critical Infra 2018) The Registry may also be '
'modified to [Impair '
'Defenses](https://attack.mitre.org/techniques/T1562), such as '
'by enabling macros for all Microsoft Office products, '
'allowing privilege escalation without alerting the user, '
'increasing the maximum number of allowed outbound requests, '
'and/or modifying systems to store plaintext credentials in '
'memory.(Citation: CISA LockBit 2023)(Citation: Unit42 '
'BabyShark Feb 2019)\n'
'\n'
'The Registry of a remote system may be modified to aid in '
'execution of files as part of lateral movement. It requires '
'the remote Registry service to be running on the target '
'system.(Citation: Microsoft Remote) Often [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078) are '
"required, along with access to the remote system's "
'[SMB/Windows Admin '
'Shares](https://attack.mitre.org/techniques/T1021/002) for '
'RPC communication.\n'
'\n'
'Finally, Registry modifications may also include actions to '
'hide keys, such as prepending key names with a null '
'character, which will cause an error and/or be ignored when '
'read via [Reg](https://attack.mitre.org/software/S0075) or '
'other utilities using the Win32 API.(Citation: Microsoft '
'Reghide NOV 2006) Adversaries may abuse these pseudo-hidden '
'keys to conceal payloads/commands used to maintain '
'persistence.(Citation: TrendMicro POWELIKS AUG '
'2014)(Citation: SpectorOps Hiding Reg Jul 2017)',
'external_references': [{'external_id': 'T1112',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1112'},
{'description': 'CISA. (2018, March 16). Russian '
'Government Cyber Activity Targeting '
'Energy and Other Critical '
'Infrastructure Sectors. Retrieved '
'March 24, 2025.',
'source_name': 'CISA Russian Gov Critical Infra 2018',
'url': 'https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors'},
{'description': 'CISA. (2023, March 16). '
'#StopRansomware: LockBit 3.0. '
'Retrieved March 24, 2025.',
'source_name': 'CISA LockBit 2023',
'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a'},
{'description': 'Javier Yuste and Sergio Pastrana. '
'(2021). Avaddon ransomware: an '
'in-depth analysis and decryption of '
'infected systems. Retrieved March '
'24, 2025.',
'source_name': 'Avaddon Ransomware 2021',
'url': 'https://arxiv.org/pdf/2102.04796'},
{'description': 'Microsoft Defender Threat '
'Intelligence. (2022, June 13). The '
'many lives of BlackCat ransomware. '
'Retrieved December 20, 2022.',
'source_name': 'Microsoft BlackCat Jun 2022',
'url': 'https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/'},
{'description': 'Microsoft. (2012, April 17). Reg. '
'Retrieved May 1, 2015.',
'source_name': 'Microsoft Reg',
'url': 'https://technet.microsoft.com/en-us/library/cc732643.aspx'},
{'description': 'Microsoft. (n.d.). Enable the Remote '
'Registry Service. Retrieved May 1, '
'2015.',
'source_name': 'Microsoft Remote',
'url': 'https://technet.microsoft.com/en-us/library/cc754820.aspx'},
{'description': 'Miroshnikov, A. & Hall, J. (2017, '
'April 18). 4657(S): A registry value '
'was modified. Retrieved August 9, '
'2018.',
'source_name': 'Microsoft 4657 APR 2017',
'url': 'https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657'},
{'description': 'Reitz, B. (2017, July 14). Hiding '
'Registry keys with PSReflect. '
'Retrieved August 9, 2018.',
'source_name': 'SpectorOps Hiding Reg Jul 2017',
'url': 'https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353'},
{'description': 'Russinovich, M. & Sharkey, K. (2006, '
'January 10). Reghide. Retrieved '
'August 9, 2018.',
'source_name': 'Microsoft Reghide NOV 2006',
'url': 'https://docs.microsoft.com/sysinternals/downloads/reghide'},
{'description': 'Russinovich, M. & Sharkey, K. (2016, '
'July 4). RegDelNull v1.11. Retrieved '
'August 10, 2018.',
'source_name': 'Microsoft RegDelNull July 2016',
'url': 'https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull'},
{'description': 'Santos, R. (2014, August 1). '
'POWELIKS: Malware Hides In Windows '
'Registry. Retrieved August 9, 2018.',
'source_name': 'TrendMicro POWELIKS AUG 2014',
'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/'},
{'description': 'Unit 42. (2019, February 22). New '
'BabyShark Malware Targets U.S. '
'National Security Think Tanks. '
'Retrieved October 7, 2019.',
'source_name': 'Unit42 BabyShark Feb 2019',
'url': 'https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'}],
'id': 'attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:49.294Z',
'name': 'Modify Registry',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Bartosz Jerzman',
'Travis Smith, Tripwire',
'David Lu, Tripwire',
'Gerardo Santos'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '2.0'}