Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Modify Registry
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Modify Registry
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Modify Registry

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API. The Registry may be modified in order to hide configuration information or malicious payloads via Obfuscated Files or Information.(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to Impair Defenses, such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019) The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication. Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)

ID: T1112
Tactic(s): Defense Evasion, Persistence
Platforms: Windows
Data Sources: Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Version: 2.0
Created: 31 May 2017
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
TrickBot

TrickBot can modify registry entries.(Citation: Trend Micro Trickbot Nov 2018)
RCSession

RCSession can write its configuration file to the Registry.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)
SynAck

SynAck can manipulate Registry keys.(Citation: SecureList SynAck Doppelgänging May 2018)
Exaramel for Windows

Exaramel for Windows adds the configuration to the Registry in XML format.(Citation: ESET TeleBots Oct 2018)
Amadey

Amadey has overwritten registry keys for persistence.(Citation: BlackBerry Amadey 2020)
NPPSPY

NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process.(Citation: Huntress NPPSPY 2022)
Orz

Orz can perform Registry operations.(Citation: Proofpoint Leviathan Oct 2017)
Stuxnet

Stuxnet can create registry keys to load driver files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
KEYMARBLE

KEYMARBLE has a command to create Registry entries for storing data under HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath.(Citation: US-CERT KEYMARBLE Aug 2018)
SILENTTRINITY

SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).(Citation: GitHub SILENTTRINITY Modules July 2019)
Ursnif

Ursnif has used Registry modifications as part of its installation routine.(Citation: TrendMicro BKDR_URSNIF.SM)(Citation: ProofPoint Ursnif Aug 2016)
ThreatNeedle

ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon`.(Citation: Kaspersky ThreatNeedle Feb 2021)
Naid

Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk.(Citation: Symantec Naid June 2012)
Zeus Panda

Zeus Panda modifies several Registry keys under HKCU\Software\Microsoft\Internet Explorer\ PhishingFilter\ to disable phishing filters.(Citation: GDATA Zeus Panda June 2017)
Prestige

Prestige has the ability to register new registry keys for a new extension handler via `HKCR\.enc` and `HKCR\enc\shell\open\command`.(Citation: Microsoft Prestige ransomware October 2022)
Bankshot

Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.(Citation: US-CERT Bankshot Dec 2017)
PLAINTEE

PLAINTEE uses reg add to add a Registry Run key for persistence.(Citation: Rancor Unit42 June 2018)
NETWIRE

NETWIRE can modify the Registry to store its configuration information.(Citation: Red Canary NETWIRE January 2020)
TinyTurla

TinyTurla can set its configuration parameters in the Registry.(Citation: Talos TinyTurla September 2021)
AADInternals

AADInternals can modify registry keys as part of setting a new pass-through authentication agent.(Citation: AADInternals Documentation)
HyperStack

HyperStack can add the name of its communication pipe to HKLM\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters\NullSessionPipes.(Citation: Accenture HyperStack October 2020)
GreyEnergy

GreyEnergy modifies conditions in the Registry and adds keys.(Citation: ESET GreyEnergy Oct 2018)
Crimson

Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.(Citation: Proofpoint Operation Transparent Tribe March 2016)
TEARDROP

TEARDROP modified the Registry to create a Windows service for itself on a compromised host.(Citation: Check Point Sunburst Teardrop December 2020)
PcShare

PcShare can delete its persistence mechanisms from the registry.(Citation: Bitdefender FunnyDream Campaign November 2020)
Mafalda

Mafalda can manipulate the system registry on a compromised host.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
PolyglotDuke

PolyglotDuke can write encrypted JSON configuration files to the Registry.(Citation: ESET Dukes October 2019)
ShrinkLocker

ShrinkLocker modifies various registry keys associated with system logon and BitLocker functionality to effectively lock-out users following disk encryption.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)
BlackByte 2.0 Ransomware

BlackByte 2.0 Ransomware modifies the victim Registry to allow for elevated execution.(Citation: Microsoft BlackByte 2023)
HOPLIGHT

HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.(Citation: US-CERT HOPLIGHT Apr 2019)

WastedLocker

WastedLocker can modify registry values within the Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry key.(Citation: NCC Group WastedLocker June 2020)
RegDuke

RegDuke can create seemingly legitimate Registry key to store its encryption key.(Citation: ESET Dukes October 2019)
InvisiMole

InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
Volgmer

Volgmer modifies the Registry to store an encoded configuration file in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014)
TRANSLATEXT

TRANSLATEXT has modified the following registry key to install itself as the value, granting permission to install specified extensions: ` HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist`.(Citation: Zscaler Kimsuky TRANSLATEXT)

Regin

Regin appears to have functionality to modify remote Registry information.(Citation: Kaspersky Regin)
Neoichor

Neoichor has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer`.(Citation: Microsoft NICKEL December 2021)
BlackCat

BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters`(Citation: Microsoft BlackCat Jun 2022)
CSPY Downloader

CSPY Downloader can write to the Registry under the %windir% variable to execute tasks.(Citation: Cybereason Kimsuky November 2020)
PowerShower

PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.(Citation: Unit 42 Inception November 2018)
DarkComet

DarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA=”0” and HKEY_CURRENT_USER\Software\DC3_FEXEC.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)
CHIMNEYSWEEP

CHIMNEYSWEEP can use the Windows Registry Environment key to change the `%windir%` variable to point to `c:\Windows` to enable payload execution.(Citation: Mandiant ROADSWEEP August 2022)

zwShell

zwShell can modify the Registry.(Citation: McAfee Night Dragon)
DCSrv

DCSrv has created Registry keys for persistence.(Citation: Checkpoint MosesStaff Nov 2021)
ShimRat

ShimRat has registered two registry keys for shim databases.(Citation: FOX-IT May 2016 Mofang)
Avaddon

Avaddon modifies several registry keys for persistence and UAC bypass.(Citation: Arxiv Avaddon Feb 2021)
Conficker

Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.(Citation: SANS Conficker)(Citation: Trend Micro Conficker)
DarkTortilla

DarkTortilla has modified registry keys for persistence.(Citation: Secureworks DarkTortilla Aug 2022)
ROKRAT

ROKRAT can modify the `HKEY_CURRENT_USER\Software\Microsoft\Office\` registry key so it can bypass the VB object model (VBOM) on a compromised host.(Citation: Malwarebytes RokRAT VBA January 2021)
DarkWatchman

DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components.(Citation: Prevailion DarkWatchman 2021)
PlugX

PlugX has a module to create, delete, or modify Registry keys.(Citation: CIRCL PlugX March 2013)
Bisonal

Bisonal has deleted Registry keys to clean up its prior activity.(Citation: Talos Bisonal Mar 2020)

Explosive

Explosive has a function to write itself to Registry values.(Citation: CheckPoint Volatile Cedar March 2015)

Rover

Rover has functionality to remove Registry Run key persistence as a cleanup procedure.(Citation: Palo Alto Rover)
Clambling

Clambling can set and delete Registry keys.(Citation: Trend Micro DRBControl February 2020)
Agent Tesla

Agent Tesla can achieve persistence by modifying Registry key entries.(Citation: SentinelLabs Agent Tesla Aug 2020)

LockBit 3.0

LockBit 3.0 can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to disable Windows Defender.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)

Hydraq

Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)
Ferocious

Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.(Citation: Kaspersky WIRTE November 2021)
Caterpillar WebShell

Caterpillar WebShell has a command to modify a Registry key.(Citation: ClearSky Lebanese Cedar Jan 2021)
Netwalker

Netwalker can add the following registry entry: HKEY_CURRENT_USER\SOFTWARE\{8 random characters}.(Citation: TrendMicro Netwalker May 2020)
Chaes

Chaes can modify Registry values to stored information and establish persistence.(Citation: Cybereason Chaes Nov 2020)

CharmPower

CharmPower can remove persistence-related artifacts from the Registry.(Citation: Check Point APT35 CharmPower January 2022)
TYPEFRAME

TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.(Citation: US-CERT TYPEFRAME June 2018)
Remcos

Remcos has full control of the Registry, including the ability to modify it.(Citation: Riskiq Remcos Jan 2018)
EVILNUM

EVILNUM can make modifications to the Regsitry for persistence.(Citation: Prevailion EvilNum May 2020)
SMOKEDHAM

SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.(Citation: FireEye SMOKEDHAM June 2021)
Mori

Mori can write data to `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\` and delete Registry values.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)
QUADAGENT

QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.(Citation: Unit 42 QUADAGENT July 2018)
Uroburos

Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Metamorfo

Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)
PipeMon

PipeMon has modified the Registry to store its encrypted payload.(Citation: ESET PipeMon May 2020)
KONNI

KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

gh0st RAT

gh0st RAT has altered the InstallTime subkey.(Citation: Gh0stRAT ATT March 2019)
Shamoon

Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)
Black Basta

Black Basta has modified the Registry to enable itself to run in safe mode, to change the icons and file extensions for encrypted files, and to add the malware path for persistence.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022)
Catchamas

Catchamas creates three Registry keys to establish persistence by adding a Windows Service.(Citation: Symantec Catchamas April 2018)
Attor

Attor's dispatcher can modify the Run registry key.(Citation: ESET Attor Oct 2019)
MegaCortex

MegaCortex has added entries to the Registry for ransom contact information.(Citation: IBM MegaCortex)
StreamEx

StreamEx has the ability to modify the Registry.(Citation: Cylance Shell Crew Feb 2017)
NightClub

NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence.(Citation: MoustachedBouncer ESET August 2023)

Mosquito

Mosquito can modify Registry keys under HKCU\Software\Microsoft\[dllname] to store configuration values. Mosquito also modifies Registry keys under HKCR\CLSID\...\InprocServer32 with a path to the launcher.(Citation: ESET Turla Mosquito Jan 2018)
RTM

RTM can delete all Registry entries created during its execution.(Citation: ESET RTM Feb 2017)
BlackByte Ransomware

BlackByte Ransomware modifies the victim Registry to prevent system recovery.(Citation: Trustwave BlackByte 2021)
Grandoreiro

Grandoreiro can modify the Registry to store its configuration at `HKCU\Software\` under frequently changing names including %USERNAME% and ToolTech-RM.(Citation: ESET Grandoreiro April 2020)
Sibot

Sibot has modified the Registry to install a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.(Citation: MSTIC NOBELIUM Mar 2021)
Tarrask

Tarrask is able to delete the Security Descriptor (`SD`) registry subkey in order to “hide” scheduled tasks.(Citation: Tarrask scheduled task)
SOUNDBITE

SOUNDBITE is capable of modifying the Registry.(Citation: FireEye APT32 May 2017)
BADCALL

BADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\\List.(Citation: US-CERT BADCALL)
HermeticWiper

HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)
Pysa

Pysa has modified the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” and added the ransom note.(Citation: CERT-FR PYSA April 2020)

Kapeka

Kapeka writes persistent configuration information to the victim host registry.(Citation: WithSecure Kapeka 2024)
LockBit 2.0

LockBit 2.0 can create Registry keys to bypass UAC and for persistence.(Citation: FBI Lockbit 2.0 FEB 2022)
Pandora

Pandora can write an encrypted token to the Registry to enable processing of remote commands.(Citation: Trend Micro Iron Tiger April 2021)
Cobalt Strike

Cobalt Strike can modify Registry values within HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security\AccessVBOM\ to enable the execution of additional code.(Citation: Talos Cobalt Strike September 2020)
SUNBURST

SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\SYSTEM\CurrentControlSet\services\\[service_name]\\Start registry entries to value 4.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020) It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.(Citation: Microsoft Deep Dive Solorigate January 2021)
REvil

REvil can modify the Registry to save encryption parameters and system information.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)
Valak

Valak has the ability to modify the Registry key HKCU\Software\ApplicationContainer\Appsw64 to store information regarding the C2 server and downloads.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)
Samurai

The Samurai loader component can create multiple Registry keys to force the svchost.exe process to load the final backdoor.(Citation: Kaspersky ToddyCat June 2022)
Taidoor

Taidoor has the ability to modify the Registry on compromised hosts using RegDeleteValueA and RegCreateKeyExA.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
PoisonIvy

PoisonIvy creates a Registry subkey that registers a new system device.(Citation: Symantec Darkmoon Aug 2005)
NanoCore

NanoCore has the capability to edit the Registry.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)
TajMahal

TajMahal can set the KeepPrintedJobs attribute for configured printers in SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers to enable document stealing.(Citation: Kaspersky TajMahal April 2019)
IPsec Helper

IPsec Helper can make arbitrary changes to registry keys based on provided input.(Citation: SentinelOne Agrius 2021)
LoJax

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk *’ to ‘autocheck autoche *’.(Citation: ESET LoJax Sept 2018)
Cardinal RAT

Cardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable.(Citation: PaloAlto CardinalRat Apr 2017)
Pillowmint

Pillowmint has modified the Registry key HKLM\SOFTWARE\Microsoft\DRM to store a malicious payload.(Citation: Trustwave Pillowmint June 2020)
SysUpdate

SysUpdate can write its configuration file to Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.(Citation: Trend Micro Iron Tiger April 2021)
Nerex

Nerex creates a Registry subkey that registers a new service.(Citation: Symantec Nerex May 2012)
CrackMapExec

CrackMapExec can create a registry key using wdigest.(Citation: CME Github September 2018)
Clop

Clop can make modifications to Registry keys.(Citation: Cybereason Clop Dec 2020)

Lokibot

Lokibot has modified the Registry as part of its UAC bypass process.(Citation: Talos Lokibot Jan 2021)

PoetRAT

PoetRAT has made registry modifications to alter its behavior upon execution.(Citation: Talos PoetRAT April 2020)
CHOPSTICK

CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information.(Citation: FireEye APT28)
Reg

Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.(Citation: Microsoft Reg)
FELIXROOT

FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.(Citation: FireEye FELIXROOT July 2018)
ZxShell

ZxShell can create Registry entries to enable services to run.(Citation: Talos ZxShell Oct 2014)
njRAT

njRAT can create, delete, or modify a specified Registry key or value.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)
QuasarRAT

QuasarRAT has a command to edit the Registry on the victim’s machine.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018)
ComRAT

ComRAT has modified Registry values to store encrypted orchestrator code and payloads.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

metaMain

metaMain can write the process ID of a target process into the `HKEY_LOCAL_MACHINE\SOFTWARE\DDE\tpid` Registry value as part of its reflective loading activity.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
KOCTOPUS

KOCTOPUS has added and deleted keys from the Registry.(Citation: MalwareBytes LazyScripter Feb 2021)
ShadowPad

ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system.(Citation: Kaspersky ShadowPad Aug 2017)(Citation: TrendMicro EarthLusca 2022)
QakBot

QakBot can modify the Registry to store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.(Citation: Red Canary Qbot)(Citation: Group IB Ransomware September 2020)
Gelsemium

Gelsemium can modify the Registry to store its components.(Citation: ESET Gelsemium June 2021)
Waterbear

Waterbear has deleted certain values from the Registry to load a malicious DLL.(Citation: Trend Micro Waterbear December 2019)

PHOREAL

PHOREAL is capable of manipulating the Registry.(Citation: FireEye APT32 May 2017)
BitPaymer

BitPaymer can set values in the Registry to help in execution.(Citation: Crowdstrike Indrik November 2018)

BACKSPACE

BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.(Citation: FireEye APT30)
ADVSTORESHELL

ADVSTORESHELL is capable of setting and deleting Registry values.(Citation: Bitdefender APT28 Dec 2015)
WarzoneRAT

WarzoneRAT can create `HKCU\Software\Classes\Folder\shell\open\command` as a new registry key during privilege escalation.(Citation: Uptycs Warzone UAC Bypass November 2020)(Citation: Check Point Warzone Feb 2020)

SLOTHFULMEDIA

SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
Turla

Turla has modified Registry values to store payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)
Operation Wocao

Operation Wocao has enabled Wdigest by changing the registry value from 0 to 1.(Citation: FoxIT Wocao December 2019)
Lazarus Group

Lazarus Group has modified registry keys using the reg windows utility for its custom backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)
Gamaredon Group

Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\Software\Microsoft\Office\<version>\<product>\Security\VBAWarnings and HKCU\Software\Microsoft\Office\<version>\<product>\Security\AccessVBOM.(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)
Indrik Spider

Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities.(Citation: Mandiant_UNC2165)
APT38

APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.(Citation: FireEye APT38 Oct 2018)
Dragonfly 2.0

Dragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg.(Citation: US-CERT TA18-074A)
Aquatic Panda

Aquatic Panda modified the victim registry to enable the `RestrictedAdmin` mode feature, allowing for pass the hash behaviors to function via RDP.(Citation: Crowdstrike HuntReport 2022)
Honeybee

Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.(Citation: McAfee Honeybee)
BlackByte

BlackByte performed Registry modifications to escalate privileges and disable security tools.(Citation: Picus BlackByte 2022)(Citation: Cisco BlackByte 2024)
Silence

Silence can create, delete, or modify a specified Registry key or value.(Citation: Group IB Silence Sept 2018)
Wizard Spider

Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory. Wizard Spider has also modified the WDigest registry key to allow plaintext credentials to be cached in memory.(Citation: CrowdStrike Grim Spider May 2019)(Citation: Mandiant FIN12 Oct 2021)
Threat Group-3390

A Threat Group-3390 tool has created new Registry keys under `HKEY_CURRENT_USER\Software\Classes\` and `HKLM\SYSTEM\CurrentControlSet\services`.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Trend Micro Iron Tiger April 2021)
APT32

APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. (Citation: ESET OceanLotus Mar 2019)

Saint Bear

Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Dragonfly

Dragonfly has modified the Registry to perform multiple techniques through the use of Reg.(Citation: US-CERT TA18-074A)
OilRig

OilRig has used reg.exe to modify system configuration.(Citation: Symantec Crambus OCT 2023)(Citation: Trend Micro Earth Simnavaz October 2024)
LuminousMoth

LuminousMoth has used malware that adds Registry keys for persistence.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)
APT19

APT19 uses a Port 22 malware variant to modify several Registry keys.(Citation: Unit 42 C0d0so0 Jan 2016)
Volt Typhoon

Volt Typhoon has used `netsh` to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG).(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
Kimsuky

Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
Magic Hound

Magic Hound has modified Registry settings for security tools.(Citation: DFIR Report APT35 ProxyShell March 2022)
Patchwork

A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.(Citation: TrendMicro Patchwork Dec 2017)
Ember Bear

Ember Bear modifies registry values for anti-forensics and defense evasion purposes.(Citation: Cadet Blizzard emerges as novel threat actor)
Ember Bear

Ember Bear has used an open source batch script to modify Windows Defender registry keys.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
APT42

APT42 has modified Registry keys to maintain persistence.(Citation: Mandiant APT42-charms)

Gorgon Group

Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.(Citation: Unit 42 Gorgon Group Aug 2018)
Earth Lusca

Earth Lusca modified the registry using the command reg add “HKEY_CURRENT_USER\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]” for persistence.(Citation: TrendMicro EarthLusca 2022)
Lotus Blossom

Lotus Blossom has installed tools such as Sagerunex by writing them to the Windows registry.(Citation: Cisco LotusBlossom 2025)
Blue Mockingbird

Blue Mockingbird has used Windows Registry modifications to specify a DLL payload.(Citation: RedCanary Mockingbird May 2020)

APT41

APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
FIN8

FIN8 has deleted Registry keys during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
TA505

TA505 has used malware to disable Windows Defender through modification of the Registry.(Citation: Korean FSI TA505 2020)

Mitigations
Mitigation Description
Restrict Registry Permissions

Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures: Review and Adjust Permissions on Critical Keys - Regularly review permissions on keys such as `Run`, `RunOnce`, and `Services` to ensure only authorized users have write access. - Use tools like `icacls` or `PowerShell` to automate permission adjustments. Enable Registry Auditing - Enable auditing on sensitive keys to log access attempts. - Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity. - Example Audit Policy: `auditpol /set /subcategory:"Registry" /success:enable /failure:enable` Protect Credential-Related Hives - Limit access to hives like `SAM`,`SECURITY`, and `SYSTEM` to prevent credential dumping or other unauthorized access. - Use LSA Protection to add an additional security layer for credential storage. Restrict Registry Editor Usage - Use Group Policy to restrict access to regedit.exe for non-administrative users. - Block execution of registry editing tools on endpoints where they are unnecessary. Deploy Baseline Configuration Tools - Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations. *Tools for Implementation* Registry Permission Tools: - Registry Editor (regedit): Built-in tool to manage registry permissions. - PowerShell: Automate permissions and manage keys. `Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value"` - icacls: Command-line tool to modify ACLs. Monitoring Tools: - Sysmon: Monitor and log registry events. - Event Viewer: View registry access logs. Policy Management Tools: - Group Policy Management Console (GPMC): Enforce registry permissions via GPOs. - Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.
Modify Registry Mitigation

Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through Service Registry Permissions Weakness. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).

References

  1. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  2. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  3. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  4. Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.
  5. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  6. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  7. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  8. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  9. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  10. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  11. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  12. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  13. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  14. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  15. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  16. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  17. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  18. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  19. Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.
  20. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  21. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  22. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  23. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  24. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  25. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  26. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
  27. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  28. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  29. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  30. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  31. Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.
  32. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  33. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  34. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  35. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  36. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  37. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  38. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  39. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  40. Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024.
  41. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  42. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  43. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  44. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  45. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  46. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  47. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  48. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
  49. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  50. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
  51. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  52. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  53. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  54. INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025.
  55. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  56. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  57. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  58. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  59. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  60. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  61. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  62. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  63. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  64. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  65. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  66. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  67. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  68. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  69. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  70. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  71. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  72. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  73. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  74. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved November 17, 2024.
  75. Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024.
  76. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
  77. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  78. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  79. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  80. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  81. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  82. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  83. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
  84. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  85. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  86. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  87. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  88. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  89. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  90. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  91. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  92. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  93. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  94. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  95. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  96. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  97. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  98. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  99. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  100. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  101. Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.
  102. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  103. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  104. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  105. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  106. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  107. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
  108. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  109. Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.
  110. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  111. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  112. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  113. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  114. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
  115. Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.
  116. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  117. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  118. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  119. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  120. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  121. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  122. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  123. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
  124. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  125. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  126. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  127. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  128. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  129. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  130. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  131. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  132. Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025.
  133. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  134. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  135. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  136. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  137. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  138. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  139. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  140. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  141. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  142. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  143. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  144. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  145. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  146. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  147. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved November 17, 2024.
  148. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  149. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  150. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  151. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  152. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  153. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  154. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  155. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  156. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  157. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  158. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.
  159. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  160. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  161. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  162. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  163. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  164. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  165. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  166. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  167. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  168. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  169. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
  170. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
  171. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  172. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  173. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  174. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  175. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  176. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  177. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  178. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  179. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  180. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  181. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  182. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  183. Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
  184. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  185. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  186. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  187. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  188. CISA. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved March 24, 2025.
  189. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  190. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  191. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  192. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  193. CISA. (2018, March 16). Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved March 24, 2025.
  194. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  195. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024.
  196. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  197. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024.
  198. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  199. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  200. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  201. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  202. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  203. Javier Yuste and Sergio Pastrana. (2021). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved March 24, 2025.
  204. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  205. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  206. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  207. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  208. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  209. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  210. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  211. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  212. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
  213. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  214. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  215. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  216. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  217. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
Навигация

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.