Restrict Registry Permissions
Restrict the ability to modify certain hives or keys in the Windows Registry.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1112 | 修改注册表 |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
|
| Enterprise | T1556 | 修改身份验证过程 |
Restrict Registry permissions to disallow the modification of sensitive Registry keys such as |
|
| .008 | Network Provider DLL |
Restrict Registry permissions to disallow the modification of sensitive Registry keys such as |
||
| Enterprise | T1574 | 劫持执行流 |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
|
| .011 | Services Registry Permissions Weakness |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
||
| .012 | COR_PROFILER |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER. |
||
| Enterprise | T1037 | 启动或登录初始化脚本 |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. |
|
| .001 | Logon Script (Windows) |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. |
||
| Enterprise | T1547 | .003 | 启动或登录自动启动执行: Time Providers |
Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry. [1] |
| Enterprise | T1562 | 妨碍防御 |
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
|
| .001 | Disable or Modify Tools |
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services. |
||
| .002 | Disable Windows Event Logging |
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.[2] |
||
| .004 | Disable or Modify System Firewall |
Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
||
| Enterprise | T1489 | 服务停止 |
Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
|
| Enterprise | T1505 | 服务器软件组件 |
Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.[3] |
|
| .005 | Terminal Services DLL |
Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.[3] |
||
| Enterprise | T1070 | .007 | 移除指标: Clear Network Connection History and Configurations |
Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| Enterprise | T1553 | 颠覆信任控制 |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented. |
|
| .003 | SIP and Trust Provider Hijacking |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented. |
||
| .006 | Code Signing Policy Modification |
Ensure proper permissions are set for the Registry to prevent users from modifying keys related to code signing policies. |
||