Tracking specific Windows Registry keys is a critical component of proactive threat hunting, as attackers often modify them to establish persistence, escalate privileges, or hide malicious payloads.
Important registry keys and areas to monitor include:
For Persistence and Autostart
Attackers frequently use these locations to ensure their malicious programs run automatically whenever the system starts or a user logs in.
Run and RunOnce Keys: These are primary locations for auto-starting programs for either the entire machine or a specific user.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- Scheduled Tasks & Services: While tasks are often managed through the Task Scheduler, underlying configurations can sometimes be tracked via specific registry paths.
AppInit_DLLs: This key can be manipulated to load arbitrary DLLs into processes, a form of DLL injection used for stealth and privilege escalation.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
For Credential Access and System Tampering
Monitoring these keys helps detect attempts to steal credentials or modify core system behavior.
- LSA Secrets & Credential Storage: Monitoring access or changes to keys related to the Local Security Authority (LSA) can reveal attempts at credential theft.
HKEY_LOCAL_MACHINE\SECURITY\CacheHKEY_LOCAL_MACHINE\SECURITY\LSA
- Driver & Kernel Mode Persistence: Changes here might indicate low-level tampering or attempts to install malicious drivers for maximum stealth.
WinlogonEntries:Winlogonhandles the critical logon and logoff processes, and attackers may modify associated registry entries to execute code during authentication.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon(specifically keys likeShellorUserinit)
- Shell & Explorer Keys: Watching for modified entries in Windows Explorer or the default shell settings can uncover attempts to change the user experience or inject malicious code.
- For Evasion and Lateral Movement
- WMI / COM Objects: Attackers can use Windows Management Instrumentation (WMI) and Component Object Model (COM) hijacking for advanced persistence techniques that often go unnoticed by basic monitoring.
- Browser Settings Keys: Spotting injected proxies or altered configurations in browser-related keys can indicate attempts to intercept traffic or redirect users to malicious sites.
Best Practices for Monitoring- Use EDR/SIEM Tools: Leverage Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) solutions for real-time monitoring and alerting on registry changes.
- Establish Baselines: Maintain a "clean" baseline of your environment to easily spot unusual or unauthorized modifications.
- Prioritize Alerts with CTI: Use Cyber Threat Intelligence (CTI) to focus monitoring on specific DLL names or patterns known to be used by threat actors, turning noisy alerts into high-fidelity leads.
Tags:
Registry