MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Defense Evasion/ T1112

T1112Modify Registry

T1112 — Modify Registry is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 89 detection use cases covering it and 10 threat-intel articles citing it.

Defense EvasionPersistence

View on the matrix → Filter Detection Library MITRE official spec ↗

89Use cases

10Articles

0Sub-techniques

2Tactics

Use cases covering this technique (89)

Disable Registry Tool ESCU actions · alerting P Disable Security Logs Using MiniNt Registry ESCU actions · alerting P Disable Show Hidden Files ESCU actions · hunting P Disable Windows App Hotkeys ESCU actions · alerting P Disabling CMD Application ESCU actions · alerting P Disabling ControlPanel ESCU actions · alerting P Disabling NoRun Windows App ESCU actions · alerting P Enable WDigest UseLogonCredential Registry ESCU actions · alerting P FodHelper UAC Bypass ESCU actions · alerting P Malicious InProcServer32 Modification ESCU actions · alerting P Remcos client registry install entry ESCU actions · alerting P Revil Registry Entry ESCU actions · alerting P Rundll32 Shimcache Flush ESCU actions · alerting P Suspicious Reg exe Process ESCU actions · hunting P Windows Anomalous Registry Value Length in Environment Key ESCU actions · hunting P Windows Defender ASR Registry Modification ESCU actions · hunting P Windows Defender ASR Rule Disabled ESCU actions · alerting P Windows Deleted Registry By A Non Critical Process File Path ESCU actions · hunting P Windows Disable Change Password Through Registry ESCU actions · hunting P Windows Disable Lock Workstation Feature Through Registry ESCU actions · hunting P Windows Disable LogOff Button Through Registry ESCU actions · hunting P Windows Disable Notification Center ESCU actions · hunting P Windows Disable Shutdown Button Through Registry ESCU actions · hunting P Windows Disable Windows Group Policy Features Through Registry ESCU actions · hunting P Windows Downdate Registry Activity ESCU actions · hunting P Windows Hide Notification Features Through Registry ESCU actions · hunting P Windows Impair Defenses Disable AV AutoStart via Registry ESCU actions · alerting P Windows InProcServer32 New Outlook Form ESCU actions · hunting P Windows Modify Registry AuthenticationLevelOverride ESCU actions · hunting P Windows Modify Registry Auto Minor Updates ESCU actions · hunting P Windows Modify Registry Auto Update Notif ESCU actions · hunting P Windows Modify Registry Configure BitLocker ESCU actions · alerting P Windows Modify Registry Default Icon Setting ESCU actions · hunting P Windows Modify Registry Delete Firewall Rules ESCU actions · alerting P Windows Modify Registry Disable RDP ESCU actions · hunting P Windows Modify Registry Disable Restricted Admin ESCU actions · alerting P Windows Modify Registry Disable Toast Notifications ESCU actions · hunting P Windows Modify Registry Disable Win Defender Raw Write Notif ESCU actions · hunting P Windows Modify Registry Disable WinDefender Notifications ESCU actions · alerting P Windows Modify Registry Disable Windows Security Center Notif ESCU actions · hunting P Windows Modify Registry DisableRemoteDesktopAntiAlias ESCU actions · alerting P Windows Modify Registry DisableSecuritySettings ESCU actions · alerting P Windows Modify Registry Disabling WER Settings ESCU actions · alerting P Windows Modify Registry DisAllow Windows App ESCU actions · alerting P Windows Modify Registry Do Not Connect To Win Update ESCU actions · hunting P Windows Modify Registry DontShowUI ESCU actions · alerting P Windows Modify Registry EnableLinkedConnections ESCU actions · alerting P Windows Modify Registry LongPathsEnabled ESCU actions · hunting P Windows Modify Registry MaxConnectionPerServer ESCU actions · hunting P Windows Modify Registry No Auto Reboot With Logon User ESCU actions · hunting P Windows Modify Registry No Auto Update ESCU actions · hunting P Windows Modify Registry NoChangingWallPaper ESCU actions · alerting P Windows Modify Registry on Smart Card Group Policy ESCU actions · hunting P Windows Modify Registry ProxyEnable ESCU actions · hunting P Windows Modify Registry ProxyServer ESCU actions · hunting P Windows Modify Registry Qakbot Binary Data Registry ESCU actions · hunting P Windows Modify Registry Regedit Silent Reg Import ESCU actions · hunting P Windows Modify Registry Risk Behavior ESCU actions · alerting P Windows Modify Registry Suppress Win Defender Notif ESCU actions · hunting P Windows Modify Registry Tamper Protection ESCU actions · alerting P Windows Modify Registry to Add or Modify Firewall Rule ESCU actions · hunting P Windows Modify Registry UpdateServiceUrlAlternate ESCU actions · hunting P Windows Modify Registry USeWuServer ESCU actions · hunting P Windows Modify Registry Utilize ProgIDs ESCU actions · hunting P Windows Modify Registry ValleyRAT C2 Config ESCU actions · alerting P Windows Modify Registry ValleyRat PWN Reg Entry ESCU actions · alerting P Windows Modify Registry With MD5 Reg Key Name ESCU actions · alerting P Windows Modify Registry WuServer ESCU actions · hunting P Windows Modify Registry wuStatusServer ESCU actions · hunting P Windows Modify Show Compress Color And Info Tip Registry ESCU actions · alerting P Windows New InProcServer32 Added ESCU actions · hunting P Windows Outlook Dialogs Disabled from Unusual Process ESCU actions · alerting P Windows Outlook LoadMacroProviderOnBoot Persistence ESCU actions · alerting P Windows Outlook WebView Registry Modification ESCU actions · hunting P Windows Routing and Remote Access Service Registry Key Change ESCU actions · hunting P Windows RunMRU Registry Key or Value Deleted ESCU actions · hunting P Windows Set Network Profile Category to Private via Registry ESCU actions · hunting P Windows Snake Malware Registry Modification wav OpenWithProgIds ESCU actions · alerting P Windows SnappyBee Create Test Registry ESCU actions · alerting P Windows Set Private Network Profile via Registry ESCU actions · hunting P [LLM] Write of unattend.xml or ReAgent.xml to system recovery partition (GreatXML staging) Bespoke weapon · alerting DSΣPDDCS [LLM] reagentc.exe invocation enabling or remounting WinRE before reboot (GreatXML precondition) Bespoke install · alerting DSΣPDDCS [LLM] HTTP/2 Bomb mitigation tampering — MaxHeadersCount registry value (CVE-2026-49160) Bespoke actions · alerting DSΣPDDCS [LLM] Argamal COM Hijack of Windows Color System Calibration Loader CLSID Bespoke install · alerting DSΣPDDCS [LLM] MSRT tampering: HKLM\Software\Policies\Microsoft\MRT DontOfferThroughWUAU = 1 Bespoke install · alerting DSΣPDDCS [LLM] termsrv.dll patched (multi-RDP enabling) - takeown + binary write + TermService restart Bespoke install · alerting DSΣPDDCS [LLM] fast16 Carrier Runtime Artefacts (SvcMgmt service / pipe p577 / \Device\fast16) Bespoke install · hunting DSP [LLM] ValleyRAT registry-resident shellcode (HKCU\Console\0|1) and MyPythonApp Run-key persistence Bespoke install · hunting DSΣP [LLM] MuddyViper persistence via ManageOnDriveUpdater scheduled task or Startup folder hijack Bespoke install · alerting DSPDDCS

Articles citing this technique (10)

crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files art-42

crit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs art-67

high Argamal: Malware hidden in hentai games art-137

med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219

crit Webworm: New burrowing techniques art-240

crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332

crit fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet art-360

high A cunning predator: How Silver Fox preys on Japanese firms this tax season art-426

med MuddyWater: Snakes by the riverbank art-676