Skip to content

Hide Navigation Hide TOC

Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129)

Initial construction of a new registry key within the Windows operating system.

Data Collection Measures:

  • Windows Event Logs
    • Event ID 4656 - Registry Object Handle Requested: Tracks registry key access, including newly created keys.
    • Event ID 4657 - Registry Value Modification: Detects modifications to an existing registry key after creation.
  • Sysmon (System Monitor) for Windows
    • Sysmon Event ID 12 - Registry Key Created: Logs when a new registry key is created.
Cluster A Galaxy A Cluster B Galaxy B Level
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 1
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 1
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern Windows Registry Key Creation (7f70fae7-a68d-4730-a83a-f260b9606129) mitre-data-component 1
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 2
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern 2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 2