Skip to content

Hide Navigation Hide TOC

Windows Registry Key Deletion (1177a4c5-31c8-400c-8544-9071166afa0e)

The removal of a registry key within the Windows operating system.

Data Collection Measures:

  • Windows Event Logs
    • Event ID 4658 - Registry Key Handle Closed: Captures when a handle to a registry key is closed, which may indicate deletion.
    • Event ID 4660 - Object Deleted: Logs when a registry key is deleted.
  • Sysmon (System Monitor) for Windows
    • Sysmon Event ID 12 - Registry Key Deleted: Logs when a registry key is removed.
    • Sysmon Event ID 13 - Registry Value Deleted: Captures removal of specific registry values.
  • Endpoint Detection and Response (EDR) Solutions
    • Monitor registry deletions for suspicious behavior.
Cluster A Galaxy A Cluster B Galaxy B Level
Windows Registry Key Deletion (1177a4c5-31c8-400c-8544-9071166afa0e) mitre-data-component Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 1
Windows Registry Key Deletion (1177a4c5-31c8-400c-8544-9071166afa0e) mitre-data-component Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 1
Windows Registry Key Deletion (1177a4c5-31c8-400c-8544-9071166afa0e) mitre-data-component Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 1
Windows Registry Key Deletion (1177a4c5-31c8-400c-8544-9071166afa0e) mitre-data-component Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
Windows Registry Key Deletion (1177a4c5-31c8-400c-8544-9071166afa0e) mitre-data-component Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2