Modify Registry
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API. Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017) The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.
Procedure Examples |
|
Name | Description |
---|---|
CharmPower |
CharmPower can remove persistence-related artifacts from the Registry.(Citation: Check Point APT35 CharmPower January 2022) |
During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching `rundll32.exe`, which in-turn launches the malware and communicates with C2 servers over the Internet. (Citation: Booz Allen Hamilton). |
|
Turla |
Turla has modified Registry values to store payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019) |
PlugX |
PlugX has a module to create, delete, or modify Registry keys.(Citation: CIRCL PlugX March 2013) |
ShadowPad |
ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system.(Citation: Kaspersky ShadowPad Aug 2017)(Citation: TrendMicro EarthLusca 2022) |
Netwalker |
Netwalker can add the following registry entry: |
Valak |
Valak has the ability to modify the Registry key |
ROKRAT |
ROKRAT can modify the `HKEY_CURRENT_USER\Software\Microsoft\Office\` registry key so it can bypass the VB object model (VBOM) on a compromised host.(Citation: Malwarebytes RokRAT VBA January 2021) |
APT38 |
APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.(Citation: FireEye APT38 Oct 2018) |
HOPLIGHT |
HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.(Citation: US-CERT HOPLIGHT Apr 2019) |
Catchamas |
Catchamas creates three Registry keys to establish persistence by adding a Windows Service.(Citation: Symantec Catchamas April 2018) |
gh0st RAT |
gh0st RAT has altered the InstallTime subkey.(Citation: Gh0stRAT ATT March 2019) |
SynAck |
SynAck can manipulate Registry keys.(Citation: SecureList SynAck Doppelgänging May 2018) |
SLOTHFULMEDIA |
SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the |
Conficker |
Conficker adds keys to the Registry at |
DCSrv |
DCSrv has created Registry keys for persistence.(Citation: Checkpoint MosesStaff Nov 2021) |
SUNBURST |
SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their |
Patchwork |
A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.(Citation: TrendMicro Patchwork Dec 2017) |
Explosive |
Explosive has a function to write itself to Registry values.(Citation: CheckPoint Volatile Cedar March 2015) |
PolyglotDuke |
PolyglotDuke can write encrypted JSON configuration files to the Registry.(Citation: ESET Dukes October 2019) |
PoisonIvy |
PoisonIvy creates a Registry subkey that registers a new system device.(Citation: Symantec Darkmoon Aug 2005) |
KOCTOPUS |
KOCTOPUS has added and deleted keys from the Registry.(Citation: MalwareBytes LazyScripter Feb 2021) |
Honeybee |
Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.(Citation: McAfee Honeybee) |
Indrik Spider |
Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities.(Citation: Mandiant_UNC2165) |
LoJax |
LoJax has modified the Registry key |
PHOREAL |
PHOREAL is capable of manipulating the Registry.(Citation: FireEye APT32 May 2017) |
PoetRAT |
PoetRAT has made registry modifications to alter its behavior upon execution.(Citation: Talos PoetRAT April 2020) |
REvil |
REvil can modify the Registry to save encryption parameters and system information.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019) |
BACKSPACE |
BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.(Citation: FireEye APT30) |
DarkWatchman |
DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components.(Citation: Prevailion DarkWatchman 2021) |
Grandoreiro |
Grandoreiro can modify the Registry to store its configuration at `HKCU\Software\` under frequently changing names including |
Taidoor |
Taidoor has the ability to modify the Registry on compromised hosts using |
Stuxnet |
Stuxnet can create registry keys to load driver files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
TinyTurla |
TinyTurla can set its configuration parameters in the Registry.(Citation: Talos TinyTurla September 2021) |
FELIXROOT |
FELIXROOT deletes the Registry key |
SMOKEDHAM |
SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.(Citation: FireEye SMOKEDHAM June 2021) |
Pillowmint |
Pillowmint has modified the Registry key |
PipeMon |
PipeMon has modified the Registry to store its encrypted payload.(Citation: ESET PipeMon May 2020) |
Mafalda |
Mafalda can manipulate the system registry on a compromised host.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
Ember Bear |
Ember Bear has used an open source batch script to modify Windows Defender registry keys.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Silence |
Silence can create, delete, or modify a specified Registry key or value.(Citation: Group IB Silence Sept 2018) |
TA505 |
TA505 has used malware to disable Windows Defender through modification of the Registry.(Citation: Korean FSI TA505 2020) |
CHOPSTICK |
CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information.(Citation: FireEye APT28) |
HermeticWiper |
HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022) |
WarzoneRAT |
WarzoneRAT can create `HKCU\Software\Classes\Folder\shell\open\command` as a new registry key during privilege escalation.(Citation: Uptycs Warzone UAC Bypass November 2020)(Citation: Check Point Warzone Feb 2020) |
Cobalt Strike |
Cobalt Strike can modify Registry values within |
APT19 |
APT19 uses a Port 22 malware variant to modify several Registry keys.(Citation: Unit 42 C0d0so0 Jan 2016) |
Dragonfly 2.0 |
Dragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg.(Citation: US-CERT TA18-074A) |
CSPY Downloader |
CSPY Downloader can write to the Registry under the |
Gelsemium |
Gelsemium can modify the Registry to store its components.(Citation: ESET Gelsemium June 2021) |
WastedLocker |
WastedLocker can modify registry values within the |
metaMain |
metaMain can write the process ID of a target process into the `HKEY_LOCAL_MACHINE\SOFTWARE\DDE\tpid` Registry value as part of its reflective loading activity.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
QuasarRAT |
QuasarRAT has a command to edit the Registry on the victim’s machine.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018) |
Hydraq |
Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010) |
BlackCat |
BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters`(Citation: Microsoft BlackCat Jun 2022) |
NPPSPY |
NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process.(Citation: Huntress NPPSPY 2022) |
Black Basta |
Black Basta can modify the Registry to enable itself to run in safe mode and to modify the icons and file extensions for encrypted files.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022) |
PLAINTEE |
PLAINTEE uses |
Gamaredon Group |
Gamaredon Group has removed security settings for VBA macro execution by changing registry values |
SILENTTRINITY |
SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).(Citation: GitHub SILENTTRINITY Modules July 2019) |
Uroburos |
Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
Waterbear |
Waterbear has deleted certain values from the Registry to load a malicious DLL.(Citation: Trend Micro Waterbear December 2019) |
SOUNDBITE |
SOUNDBITE is capable of modifying the Registry.(Citation: FireEye APT32 May 2017) |
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry.(Citation: McAfee Night Dragon) |
|
Remcos |
Remcos has full control of the Registry, including the ability to modify it.(Citation: Riskiq Remcos Jan 2018) |
InvisiMole |
InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
Metamorfo |
Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) |
Mosquito |
Mosquito can modify Registry keys under |
TEARDROP |
TEARDROP modified the Registry to create a Windows service for itself on a compromised host.(Citation: Check Point Sunburst Teardrop December 2020) |
StreamEx |
StreamEx has the ability to modify the Registry.(Citation: Cylance Shell Crew Feb 2017) |
Attor |
Attor's dispatcher can modify the Run registry key.(Citation: ESET Attor Oct 2019) |
IPsec Helper |
IPsec Helper can make arbitrary changes to registry keys based on provided input.(Citation: SentinelOne Agrius 2021) |
Lokibot |
Lokibot has modified the Registry as part of its UAC bypass process.(Citation: Talos Lokibot Jan 2021) |
ZxShell |
ZxShell can create Registry entries to enable services to run.(Citation: Talos ZxShell Oct 2014) |
KONNI |
KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) |
Wizard Spider |
Wizard Spider has modified the Registry key |
APT32 |
APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. (Citation: ESET OceanLotus Mar 2019) |
Aquatic Panda |
Aquatic Panda modified the victim registry to enable the `RestrictedAdmin` mode feature, allowing for pass the hash behaviors to function via RDP.(Citation: Crowdstrike HuntReport 2022) |
Pysa |
Pysa has modified the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” and added the ransom note.(Citation: CERT-FR PYSA April 2020) |
During Operation Honeybee, the threat actors used batch files that modified registry keys.(Citation: McAfee Honeybee) |
|
BADCALL |
BADCALL modifies the firewall Registry key |
Operation Wocao |
Operation Wocao has enabled Wdigest by changing the registry value from 0 to 1.(Citation: FoxIT Wocao December 2019) |
Earth Lusca |
Earth Lusca modified the registry using the command |
MegaCortex |
MegaCortex has added entries to the Registry for ransom contact information.(Citation: IBM MegaCortex) |
Prestige |
Prestige has the ability to register new registry keys for a new extension handler via `HKCR\.enc` and `HKCR\enc\shell\open\command`.(Citation: Microsoft Prestige ransomware October 2022) |
RegDuke |
RegDuke can create seemingly legitimate Registry key to store its encryption key.(Citation: ESET Dukes October 2019) |
Blue Mockingbird |
Blue Mockingbird has used Windows Registry modifications to specify a DLL payload.(Citation: RedCanary Mockingbird May 2020) |
Neoichor |
Neoichor has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer`.(Citation: Microsoft NICKEL December 2021) |
Tarrask |
Tarrask is able to delete the Security Descriptor (`SD`) registry subkey in order to “hide” scheduled tasks.(Citation: Tarrask scheduled task) |
Caterpillar WebShell |
Caterpillar WebShell has a command to modify a Registry key.(Citation: ClearSky Lebanese Cedar Jan 2021) |
Bisonal |
Bisonal has deleted Registry keys to clean up its prior activity.(Citation: Talos Bisonal Mar 2020) |
TajMahal |
TajMahal can set the |
HyperStack |
HyperStack can add the name of its communication pipe to |
Crimson |
Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
Ember Bear |
Ember Bear modifies registry values for anti-forensics and defense evasion purposes.(Citation: Cadet Blizzard emerges as novel threat actor) |
Orz |
Orz can perform Registry operations.(Citation: Proofpoint Leviathan Oct 2017) |
RTM |
RTM can delete all Registry entries created during its execution.(Citation: ESET RTM Feb 2017) |
Volt Typhoon |
Volt Typhoon has used `netsh` to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG).(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
Samurai |
The Samurai loader component can create multiple Registry keys to force the svchost.exe process to load the final backdoor.(Citation: Kaspersky ToddyCat June 2022) |
During Operation Wocao, the threat actors enabled Wdigest by changing the `HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest` registry value from 0 (disabled) to 1 (enabled).(Citation: FoxIT Wocao December 2019) |
|
Dragonfly |
Dragonfly has modified the Registry to perform multiple techniques through the use of Reg.(Citation: US-CERT TA18-074A) |
CrackMapExec |
CrackMapExec can create a registry key using wdigest.(Citation: CME Github September 2018) |
Gorgon Group |
Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under |
zwShell |
zwShell can modify the Registry.(Citation: McAfee Night Dragon) |
Chaes |
Chaes can modify Registry values to stored information and establish persistence.(Citation: Cybereason Chaes Nov 2020) |
NanoCore |
NanoCore has the capability to edit the Registry.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016) |
Clop |
Clop can make modifications to Registry keys.(Citation: Cybereason Clop Dec 2020) |
ThreatNeedle |
ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon`.(Citation: Kaspersky ThreatNeedle Feb 2021) |
Ursnif |
Ursnif has used Registry modifications as part of its installation routine.(Citation: TrendMicro BKDR_URSNIF.SM)(Citation: ProofPoint Ursnif Aug 2016) |
PowerShower |
PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.(Citation: Unit 42 Inception November 2018) |
ADVSTORESHELL |
ADVSTORESHELL is capable of setting and deleting Registry values.(Citation: Bitdefender APT28 Dec 2015) |
EVILNUM |
EVILNUM can make modifications to the Regsitry for persistence.(Citation: Prevailion EvilNum May 2020) |
Zeus Panda |
Zeus Panda modifies several Registry keys under |
Exaramel for Windows |
Exaramel for Windows adds the configuration to the Registry in XML format.(Citation: ESET TeleBots Oct 2018) |
Naid |
Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk.(Citation: Symantec Naid June 2012) |
Shamoon |
Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting |
SysUpdate |
SysUpdate can write its configuration file to |
LuminousMoth |
LuminousMoth has used malware that adds Registry keys for persistence.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021) |
njRAT |
njRAT can create, delete, or modify a specified Registry key or value.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) |
Mori |
Mori can write data to `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\` and delete Registry values.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022) |
GreyEnergy |
GreyEnergy modifies conditions in the Registry and adds keys.(Citation: ESET GreyEnergy Oct 2018) |
Reg |
Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.(Citation: Microsoft Reg) |
Rover |
Rover has functionality to remove Registry Run key persistence as a cleanup procedure.(Citation: Palo Alto Rover) |
Volgmer |
Volgmer modifies the Registry to store an encoded configuration file in |
Clambling |
Clambling can set and delete Registry keys.(Citation: Trend Micro DRBControl February 2020) |
QakBot |
QakBot can modify the Registry to store its configuration information in a randomly named subkey under |
Bankshot |
Bankshot writes data into the Registry key |
Kimsuky |
Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) |
ComRAT |
ComRAT has modified Registry values to store encrypted orchestrator code and payloads.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
Avaddon |
Avaddon modifies several registry keys for persistence and UAC bypass.(Citation: Arxiv Avaddon Feb 2021) |
Amadey |
Amadey has overwritten registry keys for persistence.(Citation: BlackBerry Amadey 2020) |
TrickBot |
TrickBot can modify registry entries.(Citation: Trend Micro Trickbot Nov 2018) |
APT41 |
APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) |
DarkComet |
DarkComet adds a Registry value for its installation routine to the Registry Key |
Magic Hound |
Magic Hound has modified Registry settings for security tools.(Citation: DFIR Report APT35 ProxyShell March 2022) |
TYPEFRAME |
TYPEFRAME can install encrypted configuration data under the Registry key |
PcShare |
PcShare can delete its persistence mechanisms from the registry.(Citation: Bitdefender FunnyDream Campaign November 2020) |
KEYMARBLE |
KEYMARBLE has a command to create Registry entries for storing data under |
Ferocious |
Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.(Citation: Kaspersky WIRTE November 2021) |
DarkTortilla |
DarkTortilla has modified registry keys for persistence.(Citation: Secureworks DarkTortilla Aug 2022) |
Cardinal RAT |
Cardinal RAT sets |
Agent Tesla |
Agent Tesla can achieve persistence by modifying Registry key entries.(Citation: SentinelLabs Agent Tesla Aug 2020) |
NightClub |
NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence.(Citation: MoustachedBouncer ESET August 2023) |
QUADAGENT |
QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.(Citation: Unit 42 QUADAGENT July 2018) |
NETWIRE |
NETWIRE can modify the Registry to store its configuration information.(Citation: Red Canary NETWIRE January 2020) |
Sibot |
Sibot has modified the Registry to install a second-stage script in the |
BitPaymer |
BitPaymer can set values in the Registry to help in execution.(Citation: Crowdstrike Indrik November 2018) |
CHIMNEYSWEEP |
CHIMNEYSWEEP can use the Windows Registry Environment key to change the `%windir%` variable to point to `c:\Windows` to enable payload execution.(Citation: Mandiant ROADSWEEP August 2022) |
RCSession |
RCSession can write its configuration file to the Registry.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
Saint Bear |
Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Lazarus Group |
Lazarus Group has modified registry keys using the reg windows utility for its custom backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
Nerex |
Nerex creates a Registry subkey that registers a new service.(Citation: Symantec Nerex May 2012) |
ShimRat |
ShimRat has registered two registry keys for shim databases.(Citation: FOX-IT May 2016 Mofang) |
Threat Group-3390 |
A Threat Group-3390 tool has created new Registry keys under `HKEY_CURRENT_USER\Software\Classes\` and `HKLM\SYSTEM\CurrentControlSet\services`.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Trend Micro Iron Tiger April 2021) |
FIN8 |
FIN8 has deleted Registry keys during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
AADInternals |
AADInternals can modify registry keys as part of setting a new pass-through authentication agent.(Citation: AADInternals Documentation) |
Regin |
Regin appears to have functionality to modify remote Registry information.(Citation: Kaspersky Regin) |
Pandora |
Pandora can write an encrypted token to the Registry to enable processing of remote commands.(Citation: Trend Micro Iron Tiger April 2021) |
Mitigations |
|
Mitigation | Description |
---|---|
Restrict Registry Permissions |
Restrict the ability to modify certain hives or keys in the Windows Registry. |
Modify Registry Mitigation |
Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through Service Registry Permissions Weakness. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
Detection
Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).
References
- Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
- Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.
- Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.
- Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.
- Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.
- Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.
- Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.
- Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
- Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
- DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
- Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
- Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
- Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
- ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
- Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
- Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
- Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
- Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
- FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
- Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
- SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
- Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
- Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
- Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
- Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
- Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
- Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
- Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
- Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
- MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
- CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
- Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024.
- Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
- Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
- Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
- Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
- Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
- Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
- Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
- CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
- Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
- Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
- Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
- Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
- CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
- CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
- US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
- Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
- MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
- Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
- ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
- Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
- The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
- Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
- Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
- Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
- Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
- Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
- Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
- Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
- US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
- KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
- Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
- Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
- Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
- Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
- DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
- US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
- Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
- Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
- Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
- Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
- Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
Связанные риски
Риск | Связи | |
---|---|---|
Обход систем защиты
из-за
возможности изменения реестра Windows
в ОС Windows
Повышение привилегий
Целостность
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.