An adversary can remotely manipulate the registry of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a Lateral Movement technique, discover the configuration of a host, achieve Persistence, or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to remotely enable the RemoteRegistry service, which can be detected with CAR-2014-03-005.

Remote access to the registry can be achieved via

  • Windows API function RegConnectRegistry
  • command line via reg.exe
  • graphically via regedit.exe

All of these behaviors call into the Windows API, which uses the NamedPipe WINREG over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Modify Registry N/A Defense Evasion Moderate

D3FEND Techniques

ID Name
D3-IPCTA IPC Traffic Analysis

Data Model References

Object Action Field
flow message dest_port
flow message proto_info



flows = search Flow:Message
winreg = filter flows where (dest_port == 445 and proto_info.pipe == "WINREG")
winreg_modify = filter flows where (proto_info.function == "Create*" or proto_info.function == "SetValue*")

output winreg_modify